Feature changed by: Josef Reidinger (jreidinger) Feature #308423, revision 11 Title: CA Management Proposal: change alternative name openSUSE-11.3: Rejected by Matthias Eckermann (mge1512) reject date: 2010-09-13 20:31:19 reject reason: 11.3 is done. Priority Requester: Important openSUSE-11.4: Evaluation by product manager Priority Requester: Important Requested by: Michael Calmer (mcalmer) Product Manager: (Novell) Project Manager: (Novell) Engineering Manager: (Novell) Engineering Manager: (Novell) Developer: (Novell) Technical Contact: (Novell) Partner organization: openSUSE.org Description: Currently the CA Management proposal detects a lot of alternative names which are added to the server certificate. These autodetected values cannot be changed. You need to remove the certificate and crerate a new one using the ca-management module, if something is wrong or not wanted. It would be good to have the possibility to change them at this time. References: packages: yast2-ca-management Discussion: #2: Lukas Ocilka (locilka) (2011-03-30 10:03:13) Michael, could you, please, add more information for what is actually the expected output of this feature. Whether you want just a trivial changes (changing pre-filled ComboBoxes to editable ComboBoxes) or some more sophisticated work is needed, some additional commands, configuration, etc.? + #4: Josef Reidinger (jreidinger) (2011-06-01 15:15:57) + more detailed description from Michael Calmer Hi, First some background + infos: ---------------------------- If you create a server certificate, + you sign it for a special webserver with a specific name (fqdn). The + old style was, adding the FQDN as common name (CN) in the subject of + the certificate. But sometimes one name is not enough and sometimes you + want to add also the IP address to the certificate. For this porpose + the X509v3 extensions add the "Subject Alternative Name" extension + where you can specify more (alternative) names for the server. Now lets + go to our feature: --------------------------- If we or our customers + setup a new host they often do not have a correct network setup and + yast2-ca-management has a hard time to find the correct hostname for + the default. yast2-ca-management originally used only "hostname -f" to + get the hostname, but you know what this command return if the network + setup is not correct. (nothing, linux.site, etc.). Some years ago I was + asked to find out everything what I can and add all these informations + to the "Subject Alternative Name". Currently yast2-ca-management call + "hostname -f", find all IP addresses and made a reverse lookup to the + the hostnames of these IP addresses and put everything into the· + "Subject Afternative Name". (See ca-management/src/utils.ycp Line 1511 + getHostIPs() ca-management/src/ca_mgm_proposal.ycp Line 55 ) These + values are gathered in MakeProposal and displayed in the proposal + screen, but if the customer thing they are wrong or the customer want + to remove e.g. the IP addresses, he is not able to do this. You can + change all the other settings, but there is no space left on the page + where you can do this for a widget to change the Alternative name. The + goal of this feature is, to make this changing page a wizard and add a + second page where you can change the "Subject Alternative Name". We + have already "widgets" to display and change "Subject Alternative Name" + · (See ca-management/src/new_cert_callbacks.ycp Line ~698) Maybe you + can re-use them. How to see it and test it: -------------------------- + On a SLE11 (SP1) call "yast2 test_proposal service". The proposal + window shows up and you see the proposal for the certificates. CA + Management ------------- CA Name: YaST_Default_CA Common Name: YaST + Default CA (f25) Server Name: f25.suse.de Country: DE Password: [root + password] E-Mail: postmaster@suse.de Alternative Names: IP: + 10.10.103.237 DNS:g237.suse.de· In the last line you the the + "Alternative Names". If you now click on the "CA Management" link you + get a screen which ask you what you want to do: * Create Default CA and + Certificate [Button "Edit Default Settings"] * Do not Create CA and + Certificate * Import CA and Certificate from Disk Click on the button + "Edit Default Settings". Now you see the screen with a lot of widgets + for all the settings of the CA and the Certificate, except for the + "Subject Alternative Name". If you start this in ncurses mode you will + see, that this screen is "full". So the it maybe a good idea to + introduce a second page for the new values. -- Regards + Michael Calmer -- openSUSE Feature: https://features.opensuse.org/308423