Bug 1356104

Summary: cert-show command does not display Subject Alternative Names
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Xiyang Dong <xdong>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: ftweedal, ipa-maint, jcholast, ksiddiqu, pvoborni, rcritten, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:37:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2016-07-13 12:12:48 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6022

cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names.

I think that this is quite important feature because this information helps to define scope when the certificate is usable.
Comment 1 Jan Cholasta 2016-08-26 07:07:32 UTC 
master:
https://fedorahosted.org/freeipa/changeset/0245d2aadf8b38ba68aeacf70761bd09ad927951
https://fedorahosted.org/freeipa/changeset/dae82b25bdfbec44e5db27a6fc353a46739ed8f5
https://fedorahosted.org/freeipa/changeset/e3acc3659c6349a0de837f9441c6324055d9a100
https://fedorahosted.org/freeipa/changeset/a381d888cd6effc480c373f19f6a0ecbf00c4182
https://fedorahosted.org/freeipa/changeset/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
Comment 3 Petr Vobornik 2017-03-17 16:07:00 UTC 
master:
    b6a3c9dc74ccef6f8e7df4123670d7e11269198c cert-show: show validity in default output

ipa-4-4:
    0d8f8896db8ad3a1c91cacfb009640602552f55f cert-show: show validity in default output


Was fixed with 4.5 rebase.
Comment 5 Xiyang Dong 2017-05-25 15:48:23 UTC 
on ipa-server-4.5.0-9.el7 , Subject Other Name is still not showing in default cert-show output , only showing with --all option:

# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test

# ipa cert-show 9 --all
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Other Name: 1.3.6.1.4.1.311.20.2.3:DDVIVFRQL2libS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVA==,
                      1.3.6.1.5.2.2:MEigDxsNVEVTVFJFTE0uVEVTVKE1MDOgAwIBAaEsMCobBEhUVFAbImlibS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3Q=
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Fingerprint (SHA1): 85:ad:61:e0:86:67:f4:0b:f3:02:08:7e:4c:29:16:9f:9b:6a:ad:04
  Fingerprint (SHA256): 26:d2:57:06:15:fa:1a:25:55:c7:e5:92:7b:33:48:a4:b3:93:ce:11:f8:2b:d2:76:ee:3d:4a:0b:00:c5:51:a3
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
Comment 6 Petr Vobornik 2017-05-25 16:13:02 UTC 
SANs are there, but they don't contain "SAN" in label, look into this commit what the labels they can have: https://pagure.io/freeipa/c/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
Comment 7 Xiyang Dong 2017-05-30 14:21:56 UTC 
Hello Fraser, I saw that you own the commit ,could you please add "SAN" in label ? Thanks
Comment 8 Fraser Tweedale 2017-05-30 23:13:46 UTC 
Xiyang, it is implicit that it is an alternative name.  The "S" in "SAN"
is for "Subject" after all.  Furthermore, "SAN" is not an official
abbreviation.
Comment 9 Xiyang Dong 2017-05-31 19:13:47 UTC 
Thanks Fraser.

Verified on ipa-server-4.5.0-9.el7, validity is shown in default output:
# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
Comment 10 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304