Bug 1263789 - [RFE] All Host Certificate generation should allow TLSA DNS record generation
[RFE] All Host Certificate generation should allow TLSA DNS record generation
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-16 13:14 EDT by Martin Poole
Modified: 2017-09-25 06:18 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Poole 2015-09-16 13:14:34 EDT
Description of problem:

When generating Host Certificates it should be possible to specify that TLSA DNS records be generated.

Additionally/Alternatively the "Show Certificate" option should list the various likely options for TLSA records. Most pertinently it should give the SHA256 for the full cert and for the subject rather than forcing the user to locate the cert and perform some manual work to determine the values.

The defaults should be

  Certificate Usage - 3

  Selector - 0

  Matching Type - 1


The sort order should be improved in the GUI to ensure that service selector components like TLSA records are located under the host record.

Possibly consider putting TLSA records in as

  _cert.host TLSA a b c nnnnnnnnnn

and providing simpler mech to create

  _port._(tcp|udp).host CNAME _cert.host

records.
Comment 2 Petr Vobornik 2015-09-18 09:57:20 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5312
Comment 3 Petr Vobornik 2017-04-06 12:15:58 EDT
IdM team doesn't have capacity to implement this RFE for RHEL 7.4. Moving to next RHEL version. Implementing the RFE there will depend on capacity of FreeIPA upstream. Without sufficient justification there is a chance that it will be moved again later.

Note You need to log in before you can comment on or make changes to this bug.