RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1356104 - cert-show command does not display Subject Alternative Names
Summary: cert-show command does not display Subject Alternative Names
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Xiyang Dong
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-13 12:12 UTC by Petr Vobornik
Modified: 2017-08-01 09:37 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2016-07-13 12:12:48 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6022

cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names.

I think that this is quite important feature because this information helps to define scope when the certificate is usable.
Comment 1 Jan Cholasta 2016-08-26 07:07:32 UTC 
master:
https://fedorahosted.org/freeipa/changeset/0245d2aadf8b38ba68aeacf70761bd09ad927951
https://fedorahosted.org/freeipa/changeset/dae82b25bdfbec44e5db27a6fc353a46739ed8f5
https://fedorahosted.org/freeipa/changeset/e3acc3659c6349a0de837f9441c6324055d9a100
https://fedorahosted.org/freeipa/changeset/a381d888cd6effc480c373f19f6a0ecbf00c4182
https://fedorahosted.org/freeipa/changeset/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
Comment 3 Petr Vobornik 2017-03-17 16:07:00 UTC 
master:
    b6a3c9dc74ccef6f8e7df4123670d7e11269198c cert-show: show validity in default output

ipa-4-4:
    0d8f8896db8ad3a1c91cacfb009640602552f55f cert-show: show validity in default output


Was fixed with 4.5 rebase.
Comment 5 Xiyang Dong 2017-05-25 15:48:23 UTC 
on ipa-server-4.5.0-9.el7 , Subject Other Name is still not showing in default cert-show output , only showing with --all option:

# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test

# ipa cert-show 9 --all
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Other Name: 1.3.6.1.4.1.311.20.2.3:DDVIVFRQL2libS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVA==,
                      1.3.6.1.5.2.2:MEigDxsNVEVTVFJFTE0uVEVTVKE1MDOgAwIBAaEsMCobBEhUVFAbImlibS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3Q=
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Fingerprint (SHA1): 85:ad:61:e0:86:67:f4:0b:f3:02:08:7e:4c:29:16:9f:9b:6a:ad:04
  Fingerprint (SHA256): 26:d2:57:06:15:fa:1a:25:55:c7:e5:92:7b:33:48:a4:b3:93:ce:11:f8:2b:d2:76:ee:3d:4a:0b:00:c5:51:a3
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
Comment 6 Petr Vobornik 2017-05-25 16:13:02 UTC 
SANs are there, but they don't contain "SAN" in label, look into this commit what the labels they can have: https://pagure.io/freeipa/c/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
Comment 7 Xiyang Dong 2017-05-30 14:21:56 UTC 
Hello Fraser, I saw that you own the commit ,could you please add "SAN" in label ? Thanks
Comment 8 Fraser Tweedale 2017-05-30 23:13:46 UTC 
Xiyang, it is implicit that it is an alternative name.  The "S" in "SAN"
is for "Subject" after all.  Furthermore, "SAN" is not an official
abbreviation.
Comment 9 Xiyang Dong 2017-05-31 19:13:47 UTC 
Thanks Fraser.

Verified on ipa-server-4.5.0-9.el7, validity is shown in default output:
# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test
Comment 10 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.