Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2278

Add a setting to enable signing CSRs with subject alternative names

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.3.6, SERVER 6.0.0
    • Component/s: DOCS
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      • Puppetserver has a allow-subject-altnames setting that allows the API to sign CSRs with alt names.
      • The setting is false by default
    • Team:
      Server
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
      Show
      Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently we completely disallow signing certificate requests with subject alternative names from Puppetserver's certificate_status endpoint. However, with the removal of the puppet cert command, users need a way to allow this. Because it could still be risky (see comments on SERVER-2268), we should introduce a setting that users can enable in puppetserver's config if they need this behavior, similar to the Ruby CA's allow-dns-alt-names. Because we intend to also support IP alt names, the name should not refer specifically to DNS.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  amy.sahli Amy Sahli
                  Reporter:
                  maggie Maggie Dreyer
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: