Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: support updating alt-names #2

Open
natemccurdy opened this issue Jul 19, 2017 · 1 comment
Open

Feature Request: support updating alt-names #2

natemccurdy opened this issue Jul 19, 2017 · 1 comment

Comments

@natemccurdy
Copy link

natemccurdy commented Jul 19, 2017
edited
Loading

Currently, if you change the list of alt names in a certificate, the provider doesn't update the cert (or destroy and recreate it).

Not exactly sure how that'd work though.... can certs have their alt-names changed without being destroyed and recreated?
@reidmv
Copy link
Member

reidmv commented Jul 19, 2017
edited
Loading

This is a valid request, but difficult to meaningfully implement. dns_alt_names in a cert can't be changed - a new cert would have to be issued.

The Puppet CA will throw away CSRs for a common name that already exists and hasn't been revoked. Currently, there is no way for a node to:

  • Request revocation for its own cert
  • Request an updated cert for its own common name

Until a mechanism exists for something like that, there's not much we can do on this end.

What we COULD do would be to make noise if the existing cert's dns_alt_names don't match the desired dns_alt_names. That would be the approach to take today when/if someone starts working on this issue. A bigger picture fix would require new certificate-management features in Puppet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reidmv @natemccurdy