Bug 1475238 - Use CommonNameToSANDefault in default profile (new installs only)
Summary: Use CommonNameToSANDefault in default profile (new installs only)
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
Depends On:
Blocks: 1477046
TreeView+ depends on / blocked
Reported: 2017-07-26 09:19 UTC by Petr Vobornik
Modified: 2018-04-10 16:45 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-21.el7.1.2
Doc Type: If docs needed, set a value
Doc Text:
Previously, server certificates issued by IdM listed DNS naming information only in the Common Name (CN) field. However, recent web browsers have started to ignore CN in favor of the Subject Alt Name (SAN) extension. Consequently, these browsers did not recognize the certificates as valid. With this update, the CommonNameToSANDefault profile component has been added to the default certificate profile, and new IdM installations now list the DNS information correctly.
Clone Of:
: 1477046 (view as bug list)
Last Closed: 2018-04-10 16:43:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
verification_steps (7.78 KB, text/plain)
2017-12-08 11:00 UTC, Michal Reznik
no flags Details

System ID Priority Status Summary Last Updated
Fedora Pagure freeipa issue 7334 None None None 2018-02-06 16:31:06 UTC
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 16:45:26 UTC

Description Petr Vobornik 2017-07-26 09:19:43 UTC
This bug is created as a clone of upstream ticket:

Because clients (esp. Chrome) are beginning to ignore CN, it is
imperative that host/service certs issued by FreeIPA put DNS naming
information into the Subject Alt Name extension.

Until https://pagure.io/freeipa/issue/5323 is implement we don't have
a proper profile update machinery that is aware of what versions of
Dogtag are in the topology, but we can still improve the situation for
new installations - which will certainly use Dogtag 10.4 - by adding the
CommonNameToSANDefault profile component to the default
certificate profile in FreeIPA.

This patch is a small part of https://pagure.io/freeipa/issue/4970 but
I created this separate ticket so this particular aspect can be
triaged and merged independently.

Comment 2 Petr Vobornik 2017-07-26 09:23:33 UTC
    1a35a2e213b46f3c5bb91d0f1b7fa05e8f051d4a (HEAD) Add CommonNameToSANDefault to default cert profile

    33aa4c25a2c3d158e43978d8699c3776d0e06599 (HEAD) Add CommonNameToSANDefault to default cert profile

Comment 8 Michal Reznik 2017-12-08 11:00:08 UTC
Verified on ipa-server-4.5.4-6.el7.x86_64.

Comment 9 Michal Reznik 2017-12-08 11:00:35 UTC
Created attachment 1364765 [details]

Comment 12 errata-xmlrpc 2018-04-10 16:43:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.