Feature changed by: Lukas Ocilka (locilka) Feature #308423, revision 21 Title: CA Management Proposal: change alternative name openSUSE-11.3: Rejected by Matthias Eckermann (mge1512) reject date: 2010-09-13 20:31:19 reject reason: 11.3 is done. Priority Requester: Important openSUSE-11.4: Rejected by Lukas Ocilka (locilka) reject date: 2011-06-14 15:14:25 reject reason: Not done in time to make it for 11.4. Priority Requester: Important openSUSE 12.1: Done Priority Requester: Important Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: Currently the CA Management proposal detects a lot of alternative names which are added to the server certificate. These autodetected values cannot be changed. You need to remove the certificate and crerate a new one using the ca-management module, if something is wrong or not wanted. It would be good to have the possibility to change them at this time. References: packages: yast2-ca-management Documentation Impact: - Does this impact the installation doc (Screenshots?) + No docu impact, see comment #8 Discussion: #2: Lukas Ocilka (locilka) (2011-03-30 10:03:13) Michael, could you, please, add more information for what is actually the expected output of this feature. Whether you want just a trivial changes (changing pre-filled ComboBoxes to editable ComboBoxes) or some more sophisticated work is needed, some additional commands, configuration, etc.? #4: Josef Reidinger (jreidinger) (2011-06-01 15:15:57) more detailed description from Michael Calmer Hi, First some background infos: ---------------------------- If you create a server certificate, you sign it for a special webserver with a specific name (fqdn). The old style was, adding the FQDN as common name (CN) in the subject of the certificate. But sometimes one name is not enough and sometimes you want to add also the IP address to the certificate. For this porpose the X509v3 extensions add the "Subject Alternative Name" extension where you can specify more (alternative) names for the server. Now lets go to our feature: --------------------------- If we or our customers setup a new host they often do not have a correct network setup and yast2-ca-management has a hard time to find the correct hostname for the default. yast2-ca-management originally used only "hostname -f" to get the hostname, but you know what this command return if the network setup is not correct. (nothing, linux.site, etc.). Some years ago I was asked to find out everything what I can and add all these informations to the "Subject Alternative Name". Currently yast2-ca-management call "hostname -f", find all IP addresses and made a reverse lookup to the the hostnames of these IP addresses and put everything into the· "Subject Afternative Name". (See ca-management/src/utils.ycp Line 1511 getHostIPs() ca-management/src/ca_mgm_proposal.ycp Line 55 ) These values are gathered in MakeProposal and displayed in the proposal screen, but if the customer thing they are wrong or the customer want to remove e.g. the IP addresses, he is not able to do this. You can change all the other settings, but there is no space left on the page where you can do this for a widget to change the Alternative name. The goal of this feature is, to make this changing page a wizard and add a second page where you can change the "Subject Alternative Name". We have already "widgets" to display and change "Subject Alternative Name" · (See ca-management/src/new_cert_callbacks.ycp Line ~698) Maybe you can re-use them. How to see it and test it: -------------------------- On a SLE11 (SP1) call "yast2 test_proposal service". The proposal window shows up and you see the proposal for the certificates. CA Management ------------- CA Name: YaST_Default_CA Common Name: YaST Default CA (f25) Server Name: f25.suse.de Country: DE Password: [root password] E-Mail: postmaster@suse.de Alternative Names: IP: 10.10.103.237 DNS:g237.suse.de· In the last line you the the "Alternative Names". If you now click on the "CA Management" link you get a screen which ask you what you want to do: * Create Default CA and Certificate [Button "Edit Default Settings"] * Do not Create CA and Certificate * Import CA and Certificate from Disk Click on the button "Edit Default Settings". Now you see the screen with a lot of widgets for all the settings of the CA and the Certificate, except for the "Subject Alternative Name". If you start this in ncurses mode you will see, that this screen is "full". So the it maybe a good idea to introduce a second page for the new values. -- Regards Michael Calmer #5: Josef Reidinger (jreidinger) (2011-06-01 15:56:53) (reply to #4) after discuss with michael There is place for button, so it is better to allow edit via button and don't force two window wizard. #6: Josef Reidinger (jreidinger) (2011-06-07 15:13:25) for SP2 done. Port to opensuse need to wait until I have I features for SP2 #7: Lukas Ocilka (locilka) (2011-07-19 14:32:33) MC: Do you remember whether this CA Mgmt has any impact on the documentation, especially screenshots? See "Docu Impact". Thx #8: Michael Calmer (mcalmer) (2011-07-19 15:24:04) (reply to #7) It seems that this screen is not described in the manual. This would mean => no docu impact. -- openSUSE Feature: https://features.opensuse.org/308423