From 667123223718e285b8dbb77f2884b311241a2715 Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Fri, 5 Jan 2024 15:43:49 +0000 Subject: [PATCH 1/8] Add Certificate 'otherNames' SAN field description Signed-off-by: SpectralHiss --- content/docs/usage/certificate.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/docs/usage/certificate.md b/content/docs/usage/certificate.md index 049b5267294..9d6fe85fdc7 100644 --- a/content/docs/usage/certificate.md +++ b/content/docs/usage/certificate.md @@ -74,7 +74,7 @@ spec: usages: - server auth - client auth - # At least one of a DNS Name, URI, or IP address is required. + # At least one of a DNS Name, URI, IP address or otherName is required. dnsNames: - example.com - www.example.com @@ -82,6 +82,11 @@ spec: - spiffe://cluster.local/ns/sandbox/sa/example ipAddresses: - 192.168.0.5 + # Needs cert-manager 1.14+ and OtherName feature flag + otherNames: + # Should only supply oid of ut8 valued types + - oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID" + utf8Value: upn@example.local # Issuer references are always required. issuerRef: name: ca-issuer From 62826bbaa6c1819fae5e309308336a151047c487 Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Tue, 9 Jan 2024 17:35:36 +0000 Subject: [PATCH 2/8] Add more explanations in release notes * Explains the motivation behind the OtherName feature Signed-off-by: SpectralHiss --- .../releases/release-notes/release-notes-1.14.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index 651e6fcebb5..8b7adf12320 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -22,8 +22,17 @@ The KeyUsage and BasicConstraints extensions will now be encoded as critical in #### New X.509 Features -The cert-manager Certificate resource now allows you to configure "Other Name" SANs, -which are useful when issuing certificates for authenticating with LDAP systems such as Microsoft Active Directory. +The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs. +Other Name is one of the GeneralNames like dnsName, IP , URL or URI SAN, described [page 37 in this RFC section on SANs](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) + +We specifically support any utf8 valued otherName type such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [sAMAccountName](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). +These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. +For example you can create certificates with this block in the spec: +``` + otherNames: + - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID + utf8Value: upn@domain.local +``` #### New CA certificate Features From d79ccfd7e796bca8c602ee121ffb63ba6cca1bb1 Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Tue, 9 Jan 2024 17:41:45 +0000 Subject: [PATCH 3/8] Add feature flag note Signed-off-by: SpectralHiss --- content/docs/releases/release-notes/release-notes-1.14.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index 8b7adf12320..d5f06438073 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -33,6 +33,7 @@ For example you can create certificates with this block in the spec: - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID utf8Value: upn@domain.local ``` +The feature is still in alpha stage and requires you to enable the "OtherName" feature flag in controller and webhook components, [details here](https://cert-manager.io/docs/installation/configuring-components/#feature-gates). #### New CA certificate Features From cde9e5de563bf59d1c617b6b57e8d947240b89de Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Tue, 9 Jan 2024 17:44:37 +0000 Subject: [PATCH 4/8] Quotes Signed-off-by: SpectralHiss --- content/docs/usage/certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/usage/certificate.md b/content/docs/usage/certificate.md index 9d6fe85fdc7..87e508223c5 100644 --- a/content/docs/usage/certificate.md +++ b/content/docs/usage/certificate.md @@ -82,7 +82,7 @@ spec: - spiffe://cluster.local/ns/sandbox/sa/example ipAddresses: - 192.168.0.5 - # Needs cert-manager 1.14+ and OtherName feature flag + # Needs cert-manager 1.14+ and "OtherName" feature flag otherNames: # Should only supply oid of ut8 valued types - oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID" From 3742399997a9f857df1e58a2ac474071b1560398 Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Wed, 10 Jan 2024 18:47:01 +0000 Subject: [PATCH 5/8] Update content/docs/releases/release-notes/release-notes-1.14.md Co-authored-by: Richard Wall Signed-off-by: Houssem El Fekih --- content/docs/releases/release-notes/release-notes-1.14.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index d5f06438073..1a6503fe656 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -22,8 +22,8 @@ The KeyUsage and BasicConstraints extensions will now be encoded as critical in #### New X.509 Features -The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs. -Other Name is one of the GeneralNames like dnsName, IP , URL or URI SAN, described [page 37 in this RFC section on SANs](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) +The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs, +which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37). We specifically support any utf8 valued otherName type such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [sAMAccountName](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. From 4625aeb23d518db8bf70014ef4eedda717cf4e76 Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Wed, 10 Jan 2024 18:47:15 +0000 Subject: [PATCH 6/8] Update content/docs/releases/release-notes/release-notes-1.14.md Co-authored-by: Richard Wall Signed-off-by: Houssem El Fekih --- content/docs/releases/release-notes/release-notes-1.14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index 1a6503fe656..d4e1c27ab0f 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -25,7 +25,7 @@ The KeyUsage and BasicConstraints extensions will now be encoded as critical in The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37). -We specifically support any utf8 valued otherName type such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [sAMAccountName](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). +We specifically support any `otherName` type with a `UTF-8` value, such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [`sAMAccountName`](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. For example you can create certificates with this block in the spec: ``` From f239e34ffa123e5f63687ef51a99d9db0d924245 Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Wed, 10 Jan 2024 18:48:29 +0000 Subject: [PATCH 7/8] Update content/docs/releases/release-notes/release-notes-1.14.md Co-authored-by: Richard Wall Signed-off-by: Houssem El Fekih --- content/docs/releases/release-notes/release-notes-1.14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index d4e1c27ab0f..0c89290d452 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -33,7 +33,7 @@ For example you can create certificates with this block in the spec: - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID utf8Value: upn@domain.local ``` -The feature is still in alpha stage and requires you to enable the "OtherName" feature flag in controller and webhook components, [details here](https://cert-manager.io/docs/installation/configuring-components/#feature-gates). +The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components/README.md#feature-gates). #### New CA certificate Features From 6749ceadea398ce997f0e61939ca7b39ab456202 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 12 Jan 2024 16:05:48 +0000 Subject: [PATCH 8/8] Fix link to feature-gate configuration document Signed-off-by: Richard Wall --- content/docs/releases/release-notes/release-notes-1.14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index 0c89290d452..efd073a510f 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -33,7 +33,7 @@ For example you can create certificates with this block in the spec: - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID utf8Value: upn@domain.local ``` -The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components/README.md#feature-gates). +The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates). #### New CA certificate Features