This bug is created as a clone of upstream ticket:
Because clients (esp. Chrome) are beginning to ignore CN, it is
imperative that host/service certs issued by FreeIPA put DNS naming
information into the Subject Alt Name extension.
Until https://pagure.io/freeipa/issue/5323 is implement we don't have
a proper profile update machinery that is aware of what versions of
Dogtag are in the topology, but we can still improve the situation for
new installations - which will certainly use Dogtag 10.4 - by adding the
CommonNameToSANDefault profile component to the default
certificate profile in FreeIPA.
This patch is a small part of https://pagure.io/freeipa/issue/4970 but
I created this separate ticket so this particular aspect can be
triaged and merged independently.
1a35a2e213b46f3c5bb91d0f1b7fa05e8f051d4a (HEAD) Add CommonNameToSANDefault to default cert profile
33aa4c25a2c3d158e43978d8699c3776d0e06599 (HEAD) Add CommonNameToSANDefault to default cert profile
Verified on ipa-server-4.5.4-6.el7.x86_64.
Created attachment 1364765 [details]
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.