-
Notifications
You must be signed in to change notification settings - Fork 340
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1378 from SpectralHiss/hef/add-othername-document…
…ation Add Certificate 'otherNames' SAN field description
- Loading branch information
Showing
2 changed files
with
18 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,8 +22,18 @@ The KeyUsage and BasicConstraints extensions will now be encoded as critical in | |
|
|
||
| #### New X.509 Features | ||
|
|
||
| The cert-manager Certificate resource now allows you to configure "Other Name" SANs, | ||
| which are useful when issuing certificates for authenticating with LDAP systems such as Microsoft Active Directory. | ||
| The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs, | ||
| which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37). | ||
|
|
||
| We specifically support any `otherName` type with a `UTF-8` value, such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [`sAMAccountName`](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). | ||
| These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. | ||
| For example you can create certificates with this block in the spec: | ||
| ``` | ||
| otherNames: | ||
| - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID | ||
| utf8Value: [email protected] | ||
| ``` | ||
| The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates). | ||
|
|
||
| #### New CA certificate Features | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -74,14 +74,19 @@ spec: | |
| usages: | ||
| - server auth | ||
| - client auth | ||
| # At least one of a DNS Name, URI, or IP address is required. | ||
| # At least one of a DNS Name, URI, IP address or otherName is required. | ||
| dnsNames: | ||
| - example.com | ||
| - www.example.com | ||
| uris: | ||
| - spiffe://cluster.local/ns/sandbox/sa/example | ||
| ipAddresses: | ||
| - 192.168.0.5 | ||
| # Needs cert-manager 1.14+ and "OtherName" feature flag | ||
| otherNames: | ||
| # Should only supply oid of ut8 valued types | ||
| - oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID" | ||
| utf8Value: [email protected] | ||
| # Issuer references are always required. | ||
| issuerRef: | ||
| name: ca-issuer | ||
|
|
||