Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2278

Add a setting to enable signing CSRs with subject alternative names

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.3.6, SERVER 6.0.0
    • Component/s: DOCS
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      • Puppetserver has a allow-subject-altnames setting that allows the API to sign CSRs with alt names.
      • The setting is false by default
    • Epic Link:
    • Team:
      Froyo
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
      Show
      Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently we completely disallow signing certificate requests with subject alternative names from Puppetserver's certificate_status endpoint. However, with the removal of the puppet cert command, users need a way to allow this. Because it could still be risky (see comments on SERVER-2268), we should introduce a setting that users can enable in puppetserver's config if they need this behavior, similar to the Ruby CA's allow-dns-alt-names. Because we intend to also support IP alt names, the name should not refer specifically to DNS.

        Attachments

          Issue Links

          is cloned by

          New Feature - A new feature of the product, which has yet to be developed. SERVER-2290 Add a setting to enable signing CSRs with authorization extensions

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. SERVER-2318 Add CLI flag to sign CSRs with SANs

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Accepted

          Improvement - An improvement or enhancement to an existing feature or task. SERVER-2268 Enable `puppetserver ca sign` to sign certs with SANs

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

            Activity

              People

              Assignee:
              amy.sahli Amy Sahli
              Reporter:
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support