HomePhorge
Diffusion puppet f1285a46eed2

(#2848) Only mark `subjectAltName` critical if `subject` is empty.
f1285a46eed2Unpublished
Actions

Unpublished Commit ยท Learn More

Repository Importing: This repository is still importing.

Description

(#2848) Only mark subjectAltName critical if subject is empty.

From X509v3, the subjectAltName extension should only be marked critical if
the subject DN is empty:

"If the subject field contains an empty sequence, then the issuing CA MUST
include a subjectAltName extension that is marked as critical. When including
the subjectAltName extension in a certificate that has a non-empty subject
distinguished name, conforming CAs SHOULD mark the subjectAltName extension
as non-critical."

This applies that rule, by always marking the subjectAltName as
non-critical, because we never have an empty name in our system.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>

Details

Provenance
Daniel Pittman <daniel@puppetlabs.com>Authored on
Nick Lewis <nick@puppetlabs.com>Committed on Oct 21 2011, 7:18 PM
vanmeeuwenPushed on Jun 2 2015, 2:22 PM
Parents
rPUe65a88eadc93: (#2848) Migrate `dns-alt-names` back to settings.
Branches
Unknown
Tags
Unknown

Event Timeline

Nick Lewis <nick@puppetlabs.com> committed rPUf1285a46eed2: (#2848) Only mark `subjectAltName` critical if `subject` is empty. (authored by Daniel Pittman <daniel@puppetlabs.com>).Oct 21 2011, 7:18 PM

Changes (2)

PathSize
lib/
puppet/
ssl/

rPUf1285a46eed2

View Options

lib/puppet/ssl/certificate_factory.rb

Loading...
View Options

lib/puppet/ssl/certificate_request.rb

Loading...