Mailinglist Archive: opensuse-features (263 mails)

< Previous Next >
[openFATE 308423] CA Management Proposal: change alternative name
Feature changed by: Josef Reidinger (jreidinger)
Feature #308423, revision 11
Title: CA Management Proposal: change alternative name

openSUSE-11.3: Rejected by Matthias Eckermann (mge1512)
reject date: 2010-09-13 20:31:19
reject reason: 11.3 is done.
Priority
Requester: Important

openSUSE-11.4: Evaluation by product manager
Priority
Requester: Important

Requested by: Michael Calmer (mcalmer)
Product Manager: (Novell)
Project Manager: (Novell)
Engineering Manager: (Novell)
Engineering Manager: (Novell)
Developer: (Novell)
Technical Contact: (Novell)
Partner organization: openSUSE.org

Description:
Currently the CA Management proposal detects a lot of alternative names
which are added to the server certificate. These autodetected values
cannot be changed. You need to remove the certificate and crerate a new
one using the ca-management module, if something is wrong or not
wanted.
It would be good to have the possibility to change them at this time.

References:
packages: yast2-ca-management

Discussion:
#2: Lukas Ocilka (locilka) (2011-03-30 10:03:13)
Michael, could you, please, add more information for what is actually
the expected output of this feature. Whether you want just a trivial
changes (changing pre-filled ComboBoxes to editable ComboBoxes) or some
more sophisticated work is needed, some additional commands,
configuration, etc.?

+ #4: Josef Reidinger (jreidinger) (2011-06-01 15:15:57)
+ more detailed description from Michael Calmer Hi, First some background
+ infos: ---------------------------- If you create a server certificate,
+ you sign it for a special webserver with a specific name (fqdn). The
+ old style was, adding the FQDN as common name (CN) in the subject of
+ the certificate. But sometimes one name is not enough and sometimes you
+ want to add also the IP address to the certificate. For this porpose
+ the X509v3 extensions add the "Subject Alternative Name" extension
+ where you can specify more (alternative) names for the server. Now lets
+ go to our feature: --------------------------- If we or our customers
+ setup a new host they often do not have a correct network setup and
+ yast2-ca-management has a hard time to find the correct hostname for
+ the default. yast2-ca-management originally used only "hostname -f" to
+ get the hostname, but you know what this command return if the network
+ setup is not correct. (nothing, linux.site, etc.). Some years ago I was
+ asked to find out everything what I can and add all these informations
+ to the "Subject Alternative Name". Currently yast2-ca-management call
+ "hostname -f", find all IP addresses and made a reverse lookup to the
+ the hostnames of these IP addresses and put everything into the·
+ "Subject Afternative Name". (See ca-management/src/utils.ycp Line 1511
+ getHostIPs() ca-management/src/ca_mgm_proposal.ycp Line 55 ) These
+ values are gathered in MakeProposal and displayed in the proposal
+ screen, but if the customer thing they are wrong or the customer want
+ to remove e.g. the IP addresses, he is not able to do this. You can
+ change all the other settings, but there is no space left on the page
+ where you can do this for a widget to change the Alternative name. The
+ goal of this feature is, to make this changing page a wizard and add a
+ second page where you can change the "Subject Alternative Name". We
+ have already "widgets" to display and change "Subject Alternative Name"
+ · (See ca-management/src/new_cert_callbacks.ycp Line ~698) Maybe you
+ can re-use them. How to see it and test it: --------------------------
+ On a SLE11 (SP1) call "yast2 test_proposal service". The proposal
+ window shows up and you see the proposal for the certificates. CA
+ Management ------------- CA Name: YaST_Default_CA Common Name: YaST
+ Default CA (f25) Server Name: f25.suse.de Country: DE Password: [root
+ password] E-Mail: postmaster@xxxxxxx Alternative Names: IP:
+ 10.10.103.237 DNS:g237.suse.de· In the last line you the the
+ "Alternative Names". If you now click on the "CA Management" link you
+ get a screen which ask you what you want to do: * Create Default CA and
+ Certificate [Button "Edit Default Settings"] * Do not Create CA and
+ Certificate * Import CA and Certificate from Disk Click on the button
+ "Edit Default Settings". Now you see the screen with a lot of widgets
+ for all the settings of the CA and the Certificate, except for the
+ "Subject Alternative Name". If you start this in ncurses mode you will
+ see, that this screen is "full". So the it maybe a good idea to
+ introduce a second page for the new values. -- Regards
+ Michael Calmer




--
openSUSE Feature:
https://features.opensuse.org/308423

< Previous Next >
This Thread