Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1356104 - cert-show command does not display Subject Alternative Names
cert-show command does not display Subject Alternative Names
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Xiyang Dong
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-13 08:12 EDT by Petr Vobornik
Modified: 2017-08-01 05:37 EDT (History)
7 users (show)

See Also:
Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:37:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2016-07-13 08:12:48 EDT 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6022

cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names.

I think that this is quite important feature because this information helps to define scope when the certificate is usable.
Comment 3 Petr Vobornik 2017-03-17 12:07:00 EDT 
master:
    b6a3c9dc74ccef6f8e7df4123670d7e11269198c cert-show: show validity in default output

ipa-4-4:
    0d8f8896db8ad3a1c91cacfb009640602552f55f cert-show: show validity in default output


Was fixed with 4.5 rebase.
Comment 5 Xiyang Dong 2017-05-25 11:48:23 EDT 
on ipa-server-4.5.0-9.el7 , Subject Other Name is still not showing in default cert-show output , only showing with --all option:

# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST

# ipa cert-show 9 --all
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Other Name: 1.3.6.1.4.1.311.20.2.3:DDVIVFRQL2libS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVA==,
                      1.3.6.1.5.2.2:MEigDxsNVEVTVFJFTE0uVEVTVKE1MDOgAwIBAaEsMCobBEhUVFAbImlibS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3Q=
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Fingerprint (SHA1): 85:ad:61:e0:86:67:f4:0b:f3:02:08:7e:4c:29:16:9f:9b:6a:ad:04
  Fingerprint (SHA256): 26:d2:57:06:15:fa:1a:25:55:c7:e5:92:7b:33:48:a4:b3:93:ce:11:f8:2b:d2:76:ee:3d:4a:0b:00:c5:51:a3
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
Comment 6 Petr Vobornik 2017-05-25 12:13:02 EDT 
SANs are there, but they don't contain "SAN" in label, look into this commit what the labels they can have: https://pagure.io/freeipa/c/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2
Comment 7 Xiyang Dong 2017-05-30 10:21:56 EDT 
Hello Fraser, I saw that you own the commit ,could you please add "SAN" in label ? Thanks
Comment 8 Fraser Tweedale 2017-05-30 19:13:46 EDT 
Xiyang, it is implicit that it is an alternative name.  The "S" in "SAN"
is for "Subject" after all.  Furthermore, "SAN" is not an official
abbreviation.
Comment 9 Xiyang Dong 2017-05-31 15:13:47 EDT 
Thanks Fraser.

Verified on ipa-server-4.5.0-9.el7, validity is shown in default output:
# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
Comment 10 errata-xmlrpc 2017-08-01 05:37:23 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.