Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2290

Add a setting to enable signing CSRs with authorization extensions

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • SERVER 5.3.6, SERVER 6.0.0
    • DOCS
    • None
      • Puppetserver has a allow-authorization-extensions setting that allows the API to sign CSRs with auth extensions.
      • The setting is false by default
    • Froyo
    • New Feature
    • Hide
      Puppet Server now has a setting called `allow-authorization-extensions` in the `certificate-authority` section of its config for enabling signing certs with authorization extensions. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configued in the config file.
      Show
      Puppet Server now has a setting called `allow-authorization-extensions` in the `certificate-authority` section of its config for enabling signing certs with authorization extensions. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configued in the config file.
    • Needs Assessment

    Description

      Currently we completely disallow signing certificate requests with authorization extensions from Puppetserver's certificate_status endpoint. However, with the removal of the puppet cert command, users need a way to allow this. Because it could still be risky (see comments on SERVER-2268), we should introduce a setting that users can enable in puppetserver's config if they need this behavior, similar to the Ruby CA's allow-authorization-extensions.

       

      Useful code: 

      Take a look at how we did:  https://tickets.puppetlabs.com/browse/SERVER-2278  We'll want to do something similar.

      https://github.com/puppetlabs/puppetserver/blob/2e271f7c6768cf60f56d396f74b28ce62e3bd677/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L1054

      Attachments

        Issue Links

          clones

          New Feature - A new feature of the product, which has yet to be developed. SERVER-2278 Add a setting to enable signing CSRs with subject alternative names

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              amy.sahli Amy Sahli
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support