When a certificate is requested and CSR contains a Subject Alternative Name, we check that the matches one of IPA hosts.
While this is OK for DNs subjectAltName, it fails for example when subjectAltName containst non-DNS name, like email address:
Certificate Request:
... Attributes: Requested Extensions: X509v3 Subject Alternative Name: email:foo@testcert.example.com, DNS:web.example.com ...
ipa cert-request result:
ipa: ERROR: no host record for subject alt name foo@testcert.example.com in certificate request
This will likely require an enhancement to python-nss so we can determine the type of alt name.
This was fixed in commit d6fb110 (the fix for #3977). Only dNSName names are checked for service and host match.
The code currently does not allow an rfc822Name in SAN when issuing certs to hosts/services, nor dNSName in SAN when issuing certs to user principals. If this is a problem, open a new ticket so we can develop clear requirements about which name types are allowed for each principal type, and how to validate them.
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.