Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2322

Backport advanced cert signing settings to Server 5

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: SERVER 5.3.5
    • Fix Version/s: SERVER 5.3.6
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      Puppet Server 5 has

      • an allow-subject-alt-names setting
      • an allow-authorization-extensions setting
      Show
      Puppet Server 5 has an allow-subject-alt-names setting an allow-authorization-extensions setting
    • Team:
      Froyo
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      We have added two settings to Puppet Server's CA configuration: `allow-subject-alt-names` and `allow-autorization-extensions`. These are false by default. When set to true, they allow CSR with subject alt names or special auth extensions to be signed by the puppetserver CA API. These flags are needed to sign such certs via `puppetserver ca sign` command, which replaces `puppet cert` in Puppet 6, because the new command signs certs via the CA API.
      Show
      We have added two settings to Puppet Server's CA configuration: `allow-subject-alt-names` and `allow-autorization-extensions`. These are false by default. When set to true, they allow CSR with subject alt names or special auth extensions to be signed by the puppetserver CA API. These flags are needed to sign such certs via `puppetserver ca sign` command, which replaces `puppet cert` in Puppet 6, because the new command signs certs via the CA API.
    • QA Risk Assessment:
      Needs Assessment

      Description

      We are including the puppetserver CA CLI gem in Server 5 builds so people can migrate away from the deprecated puppet cert. However, the puppetserver cert signing code doesn't currently support signing certs with SANs or auth extensions in Server 5. In Server 6 we introduced two settings, allow-subject-alt-names and allow-authorization-extensions to the certificate-authority section of the server config. We should backport these settings to Server 5 to fully enable signing certs with the new CA CLI. Both should be false by default.

        Attachments

          Activity

            People

            Assignee:
            maggie Maggie Dreyer
            Reporter:
            maggie Maggie Dreyer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support