Bug 1356104 - cert-show command does not display Subject Alternative Names
Summary: cert-show command does not display Subject Alternative Names
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Xiyang Dong
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-13 12:12 UTC by Petr Vobornik
Modified: 2017-08-01 09:37 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2016-07-13 12:12:48 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6022

cert-show command and thus WebUI in IPA 4.4.0 does not display Subject Alternative Names.

I think that this is quite important feature because this information helps to define scope when the certificate is usable.

Comment 3 Petr Vobornik 2017-03-17 16:07:00 UTC
master:
    b6a3c9dc74ccef6f8e7df4123670d7e11269198c cert-show: show validity in default output

ipa-4-4:
    0d8f8896db8ad3a1c91cacfb009640602552f55f cert-show: show validity in default output


Was fixed with 4.5 rebase.

Comment 5 Xiyang Dong 2017-05-25 15:48:23 UTC
on ipa-server-4.5.0-9.el7 , Subject Other Name is still not showing in default cert-show output , only showing with --all option:

# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST

# ipa cert-show 9 --all
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Other Name: 1.3.6.1.4.1.311.20.2.3:DDVIVFRQL2libS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVA==,
                      1.3.6.1.5.2.2:MEigDxsNVEVTVFJFTE0uVEVTVKE1MDOgAwIBAaEsMCobBEhUVFAbImlibS14MzY1MG00LTAxLXZtLTExLnRlc3RyZWxtLnRlc3Q=
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Fingerprint (SHA1): 85:ad:61:e0:86:67:f4:0b:f3:02:08:7e:4c:29:16:9f:9b:6a:ad:04
  Fingerprint (SHA256): 26:d2:57:06:15:fa:1a:25:55:c7:e5:92:7b:33:48:a4:b3:93:ce:11:f8:2b:d2:76:ee:3d:4a:0b:00:c5:51:a3
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST

Comment 6 Petr Vobornik 2017-05-25 16:13:02 UTC
SANs are there, but they don't contain "SAN" in label, look into this commit what the labels they can have: https://pagure.io/freeipa/c/48aaf2bbf5df6dcedaa466753c8fafb478cb31b2

Comment 7 Xiyang Dong 2017-05-30 14:21:56 UTC
Hello Fraser, I saw that you own the commit ,could you please add "SAN" in label ? Thanks

Comment 8 Fraser Tweedale 2017-05-30 23:13:46 UTC
Xiyang, it is implicit that it is an alternative name.  The "S" in "SAN"
is for "Subject" after all.  Furthermore, "SAN" is not an official
abbreviation.

Comment 9 Xiyang Dong 2017-05-31 19:13:47 UTC
Thanks Fraser.

Verified on ipa-server-4.5.0-9.el7, validity is shown in default output:
# ipa cert-show 9 
  Issuing CA: ipa
  Certificate: (omitted)
  Subject: CN=ibm-x3650m4-01-vm-11.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: ibm-x3650m4-01-vm-11.testrelm.test
  Subject UPN: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Subject Kerberos principal name: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu May 25 14:26:58 2017 UTC
  Not After: Sun May 26 14:26:58 2019 UTC
  Serial number: 9
  Serial number (hex): 0x9
  Revoked: False
  Owner service: HTTP/ibm-x3650m4-01-vm-11.testrelm.test@TESTRELM.TEST

Comment 10 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.