Details
-
Improvement
-
Status: Resolved
-
Normal
-
Resolution: Done
-
None
-
None
-
None
-
Froyo
-
Enhancement
-
The `puppetserver ca list` command will now list any authorization extensions on a cert or CSR, in addition to its subject alt names.
-
Needs Assessment
Description
Right now `puppetserver ca list` will show the dns alt names in the certificate request so you can determine whether to sign based on the presence of the added SANs. A CSR may also have extension requests in it, which can also have security implications. The ppAuthCert extensions for example, specifically pp_auth_role, can be used to specify a compiler in lovejoy, and we'd like to be able to check whether or not a csr has extensions before signing it in PE automation tooling that signing certs, for example.
Since use of pp_auth_role requires that allowed-authorized-extensions be set true in puppetserver's ca.conf, this would allow any cert with pp_auth_role set to be signed, and it would be important for the customer to see this information as well.
Attachments
Issue Links
- is blocked by
-
SERVER-2718 Send extension information with the `certificate_status` response
-
- Resolved
-