Red Hat Bugzilla – Bug 1263789
[RFE] All Host Certificate generation should allow TLSA DNS record generation
Last modified: 2017-09-25 06:18:32 EDT
Description of problem:
When generating Host Certificates it should be possible to specify that TLSA DNS records be generated.
Additionally/Alternatively the "Show Certificate" option should list the various likely options for TLSA records. Most pertinently it should give the SHA256 for the full cert and for the subject rather than forcing the user to locate the cert and perform some manual work to determine the values.
The defaults should be
Certificate Usage - 3
Selector - 0
Matching Type - 1
The sort order should be improved in the GUI to ensure that service selector components like TLSA records are located under the host record.
Possibly consider putting TLSA records in as
_cert.host TLSA a b c nnnnnnnnnn
and providing simpler mech to create
_port._(tcp|udp).host CNAME _cert.host
IdM team doesn't have capacity to implement this RFE for RHEL 7.4. Moving to next RHEL version. Implementing the RFE there will depend on capacity of FreeIPA upstream. Without sufficient justification there is a chance that it will be moved again later.