Mailinglist Archive: opensuse-features (263 mails)

< Previous Next >
[openFATE 308423] CA Management Proposal: change alternative name
Feature changed by: Josef Reidinger (jreidinger)
Feature #308423, revision 13
Title: CA Management Proposal: change alternative name

openSUSE-11.3: Rejected by Matthias Eckermann (mge1512)
reject date: 2010-09-13 20:31:19
reject reason: 11.3 is done.
Requester: Important

openSUSE-11.4: Evaluation by product manager
Requester: Important

Requested by: Michael Calmer (mcalmer)
Product Manager: (Novell)
Project Manager: (Novell)
Engineering Manager: (Novell)
Engineering Manager: (Novell)
Developer: (Novell)
Technical Contact: (Novell)
Partner organization:

Currently the CA Management proposal detects a lot of alternative names
which are added to the server certificate. These autodetected values
cannot be changed. You need to remove the certificate and crerate a new
one using the ca-management module, if something is wrong or not
It would be good to have the possibility to change them at this time.

packages: yast2-ca-management

#2: Lukas Ocilka (locilka) (2011-03-30 10:03:13)
Michael, could you, please, add more information for what is actually
the expected output of this feature. Whether you want just a trivial
changes (changing pre-filled ComboBoxes to editable ComboBoxes) or some
more sophisticated work is needed, some additional commands,
configuration, etc.?

#4: Josef Reidinger (jreidinger) (2011-06-01 15:15:57)
more detailed description from Michael Calmer Hi, First some background
infos: ---------------------------- If you create a server certificate,
you sign it for a special webserver with a specific name (fqdn). The
old style was, adding the FQDN as common name (CN) in the subject of
the certificate. But sometimes one name is not enough and sometimes you
want to add also the IP address to the certificate. For this porpose
the X509v3 extensions add the "Subject Alternative Name" extension
where you can specify more (alternative) names for the server. Now lets
go to our feature: --------------------------- If we or our customers
setup a new host they often do not have a correct network setup and
yast2-ca-management has a hard time to find the correct hostname for
the default. yast2-ca-management originally used only "hostname -f" to
get the hostname, but you know what this command return if the network
setup is not correct. (nothing,, etc.). Some years ago I was
asked to find out everything what I can and add all these informations
to the "Subject Alternative Name". Currently yast2-ca-management call
"hostname -f", find all IP addresses and made a reverse lookup to the
the hostnames of these IP addresses and put everything into the·
"Subject Afternative Name". (See ca-management/src/utils.ycp Line 1511
getHostIPs() ca-management/src/ca_mgm_proposal.ycp Line 55 ) These
values are gathered in MakeProposal and displayed in the proposal
screen, but if the customer thing they are wrong or the customer want
to remove e.g. the IP addresses, he is not able to do this. You can
change all the other settings, but there is no space left on the page
where you can do this for a widget to change the Alternative name. The
goal of this feature is, to make this changing page a wizard and add a
second page where you can change the "Subject Alternative Name". We
have already "widgets" to display and change "Subject Alternative Name"
· (See ca-management/src/new_cert_callbacks.ycp Line ~698) Maybe you
can re-use them. How to see it and test it: --------------------------
On a SLE11 (SP1) call "yast2 test_proposal service". The proposal
window shows up and you see the proposal for the certificates. CA
Management ------------- CA Name: YaST_Default_CA Common Name: YaST
Default CA (f25) Server Name: Country: DE Password: [root
password] E-Mail: postmaster@xxxxxxx Alternative Names: IP:· In the last line you the the
"Alternative Names". If you now click on the "CA Management" link you
get a screen which ask you what you want to do: * Create Default CA and
Certificate [Button "Edit Default Settings"] * Do not Create CA and
Certificate * Import CA and Certificate from Disk Click on the button
"Edit Default Settings". Now you see the screen with a lot of widgets
for all the settings of the CA and the Certificate, except for the
"Subject Alternative Name". If you start this in ncurses mode you will
see, that this screen is "full". So the it maybe a good idea to
introduce a second page for the new values. -- Regards
Michael Calmer

#5: Josef Reidinger (jreidinger) (2011-06-01 15:56:53) (reply to #4)
after discuss with michael There is place for button, so it is better
to allow edit via button and don't force two window wizard.

+ #6: Josef Reidinger (jreidinger) (2011-06-07 15:13:25)
+ for SP2 done. Port to opensuse need to wait until I have I features for
+ SP2

openSUSE Feature:

< Previous Next >
This Thread