Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2591

The puppetserver ca list should show extensions alongside SANs

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.11.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Froyo
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      The `puppetserver ca list` command will now list any authorization extensions on a cert or CSR, in addition to its subject alt names.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Right now `puppetserver ca list` will show the dns alt names in the certificate request so you can determine whether to sign based on the presence of the added SANs. A CSR may also have extension requests in it, which can also have security implications. The ppAuthCert extensions for example, specifically pp_auth_role, can be used to specify a compiler in lovejoy, and we'd like to be able to check whether or not a csr has extensions before signing it in PE automation tooling that signing certs, for example.

      Since use of pp_auth_role requires that allowed-authorized-extensions be set true in puppetserver's ca.conf, this would allow any cert with pp_auth_role set to be signed, and it would be important for the customer to see this information as well.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              patrick Patrick Carlisle
              Reporter:
              joshua.partlow Joshua Partlow
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support