Details
-
Type:
Improvement
-
Status: Resolved
-
Priority:
Normal
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: SERVER 6.11.0
-
Component/s: None
-
Labels:None
-
Template:customfield_10700 316709
-
Epic Link:
-
Team:Froyo
-
Release Notes:Enhancement
-
Release Notes Summary:The `puppetserver ca list` command will now list any authorization extensions on a cert or CSR, in addition to its subject alt names.
-
QA Risk Assessment:Needs Assessment
Description
Right now `puppetserver ca list` will show the dns alt names in the certificate request so you can determine whether to sign based on the presence of the added SANs. A CSR may also have extension requests in it, which can also have security implications. The ppAuthCert extensions for example, specifically pp_auth_role, can be used to specify a compiler in lovejoy, and we'd like to be able to check whether or not a csr has extensions before signing it in PE automation tooling that signing certs, for example.
Since use of pp_auth_role requires that allowed-authorized-extensions be set true in puppetserver's ca.conf, this would allow any cert with pp_auth_role set to be signed, and it would be important for the customer to see this information as well.
Attachments
Issue Links
- is blocked by
-
SERVER-2718 Send extension information with the `certificate_status` response
-
- Resolved
-