Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2278

Add a setting to enable signing CSRs with subject alternative names

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • SERVER 5.3.6, SERVER 6.0.0
    • DOCS
    • None
      • Puppetserver has a allow-subject-altnames setting that allows the API to sign CSRs with alt names.
      • The setting is false by default
    • Froyo
    • New Feature
    • Hide
      Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
      Show
      Puppet Server now has a setting called `allow-subject-alt-names` in the `certificate-authority` section of its config for enabling signing certs with subject alternative names. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configured in the config file.
    • Needs Assessment

    Description

      Currently we completely disallow signing certificate requests with subject alternative names from Puppetserver's certificate_status endpoint. However, with the removal of the puppet cert command, users need a way to allow this. Because it could still be risky (see comments on SERVER-2268), we should introduce a setting that users can enable in puppetserver's config if they need this behavior, similar to the Ruby CA's allow-dns-alt-names. Because we intend to also support IP alt names, the name should not refer specifically to DNS.

      Attachments

        Issue Links

          is cloned by

          New Feature - A new feature of the product, which has yet to be developed. SERVER-2290 Add a setting to enable signing CSRs with authorization extensions

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. SERVER-2318 Add CLI flag to sign CSRs with SANs

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SERVER-2268 Enable `puppetserver ca sign` to sign certs with SANs

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Activity

            People

              amy.sahli Amy Sahli
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support