Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2278

Add a setting to enable signing CSRs with subject alternative names

          Details

          • Type: New Feature
          • Status: Closed
          • Priority: Normal
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: SERVER 5.3.6, SERVER 6.0.0
          • Component/s: DOCS
          • Labels:
            None
          • Template:
            PUP Bug Template
          • Acceptance Criteria:
            • Puppetserver has a allow-subject-altnames setting that allows the API to sign CSRs with alt names.
            • The setting is false by default
          • Epic Link:
          • Team:
            Server
          • Release Notes:
            New Feature
          • Release Notes Summary:
            Hide
            Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
            Show
            Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
          • QA Risk Assessment:
            Needs Assessment

            Description

            Currently we completely disallow signing certificate requests with subject alternative names from Puppetserver's certificate_status endpoint. However, with the removal of the puppet cert command, users need a way to allow this. Because it could still be risky (see comments on SERVER-2268), we should introduce a setting that users can enable in puppetserver's config if they need this behavior, similar to the Ruby CA's allow-dns-alt-names. Because we intend to also support IP alt names, the name should not refer specifically to DNS.

              Attachments

                Issue Links

                is cloned by

                New Feature - A new feature of the product, which has yet to be developed. SERVER-2290 Add a setting to enable signing CSRs with authorization extensions

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed
                relates to

                New Feature - A new feature of the product, which has yet to be developed. SERVER-2318 Add CLI flag to sign CSRs with SANs

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Accepted

                Improvement - An improvement or enhancement to an existing feature or task. SERVER-2268 Enable `puppetserver ca sign` to sign certs with SANs

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Resolved

                  Activity

                    People

                    • Assignee:
                      amy.sahli Amy Sahli
                      Reporter:
                      maggie Maggie Dreyer
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      4 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Zendesk Support