-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify Name Constraints in CA Certificate #3655
Comments
Important Feature: Will be a critical addition to controlling boundaries for Sub CAs. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@t-cas: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-lifecycle rotten |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
/remove-lifecycle rotten |
any timelines? |
@smarunich i'm just another observer on this issue, but I think it's pretty clear that this is not currently a priority of the maintainers and there are no timelines. It seems likely that this will only happen if/when this work is funded and someone engages the maintainers with a concrete proposal and implementation. |
Hey, I am happy to report that this feature request is very high in the list of community requests for bugs and features! It currently stands at the 6th position. We (Venafi-sponsored maintainers) often use the number of thumbs up as a way to guide what to do next on our community-focused time. At this point, the most requested feature is "certificate presets" with 49 thumbs up. That's what we have decided to work on for the next release as part of our "community time". In the meantime, I'd be glad to talk and help design the feature and to review a contributor's PR if someone is interested! |
@maelvls , looks like this issue has got more votes since then. Can you help in taking this up in the current cycle? |
@maelvls Is someone working on this? If not I am interested to take this forward. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
This seems possible now if enabling a feature gate, ref. https://cert-manager.io/docs/usage/certificate/#creating-certificate-with-name-constraints. I wonder if this issue can be closed, or if there is something missing? It would be nice to get some feedback from users who have showed interest in this feature! |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Is your feature request related to a problem? Please describe.
When creating a
Certificate
CR using flagisCA: true
, there is today no possibility to specify Name Constraints to apply restrictions on the CN and SAN for this Sub-CA.Describe the solution you'd like
a new section
spec.nameConstraints
inCertificate
CR for example:/kind feature
The text was updated successfully, but these errors were encountered: