URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
frasertweedale commented: """ Was there agreement that this should be implemented? (I am personally against it, because the next release should update the default profile to use the new CommonNameToSanExtDefault profile component). If we do implement this, IMO it should be a per-profile configuration, because there may be legitimate use cases where SAN is not needed. If we do pursue the current approach, we should further check not only that SAN is present, but that it contains a DNSName. Put another way, with the current patch, SAN can be present, but it might contain only KRB5PrincipalName and no DNSName, and therefore the warning will not show, but it probably should have warned. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300351130
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
