SilleBille / pki

Dogtag PKI Issues should be reported to the Dogtag PKI Pagure Issues site
https://pagure.io/dogtagpki/issues
GNU General Public License v2.0
1 stars 1 forks source link

Index SAN extension and search for certs by hostname #490

Closed SilleBille closed 4 years ago

SilleBille commented 5 years ago

This issue was migrated from Pagure Issue #3092.Originally filed by cheimes on 2019-01-28

For IPA and other use cases, it would be useful to get a list of certificates that are valid for a given host name, IP address, or email address.

When Dogtag stores a certificate, it also stores X.509 properties the subject name, issuer name, and OIDs of extensions. There is no efficient way to search for certificates by hostname. RFC 2818 and subsequent RFCs have deprecated CN in subject in favor of the subjectAltName X509v3 extension. The SAN extension can contain several kinds of general names. I'm mostly interested in DNS and IP, but URI, RFC822Name, and other may be useful, too.

Once SAN extensions are indexed, cert search should grow an argument to find certs by hostname with simple wildcard matching and fallback to CN.