Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2591

The puppetserver ca list should show extensions alongside SANs

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Normal
    • Resolution: Done
    • None
    • SERVER 6.11.0
    • None
    • None
    • Enhancement
    • The `puppetserver ca list` command will now list any authorization extensions on a cert or CSR, in addition to its subject alt names.
    • Needs Assessment

    Description

      Right now `puppetserver ca list` will show the dns alt names in the certificate request so you can determine whether to sign based on the presence of the added SANs. A CSR may also have extension requests in it, which can also have security implications. The ppAuthCert extensions for example, specifically pp_auth_role, can be used to specify a compiler in lovejoy, and we'd like to be able to check whether or not a csr has extensions before signing it in PE automation tooling that signing certs, for example.

      Since use of pp_auth_role requires that allowed-authorized-extensions be set true in puppetserver's ca.conf, this would allow any cert with pp_auth_role set to be signed, and it would be important for the customer to see this information as well.

      Attachments

        Issue Links

          Activity

            People

              patrick Patrick Carlisle
              joshua.partlow Joshua Partlow
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support