Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Certificate 'otherNames' SAN field description #1378

Merged
merged 8 commits into from
Jan 12, 2024
Merged

Add Certificate 'otherNames' SAN field description #1378

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6671232
Add Certificate 'otherNames' SAN field description
Jan 5, 2024
62826bb
Add more explanations in release notes
Jan 9, 2024
d79ccfd
Add feature flag note
Jan 9, 2024
cde9e5d
Quotes
Jan 9, 2024
3742399
Update content/docs/releases/release-notes/release-notes-1.14.md
SpectralHiss Jan 10, 2024
4625aeb
Update content/docs/releases/release-notes/release-notes-1.14.md
SpectralHiss Jan 10, 2024
f239e34
Update content/docs/releases/release-notes/release-notes-1.14.md
SpectralHiss Jan 10, 2024
6749cea
Fix link to feature-gate configuration document
wallrj Jan 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions content/docs/releases/release-notes/release-notes-1.14.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,18 @@ The KeyUsage and BasicConstraints extensions will now be encoded as critical in

#### New X.509 Features

The cert-manager Certificate resource now allows you to configure "Other Name" SANs,
which are useful when issuing certificates for authenticating with LDAP systems such as Microsoft Active Directory.
The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs,
which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37).

We specifically support any `otherName` type with a `UTF-8` value, such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [`sAMAccountName`](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties).
These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory.
For example you can create certificates with this block in the spec:
```
otherNames:
- oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
utf8Value: upn@domain.local
```
The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates).

#### New CA certificate Features

Expand Down
7 changes: 6 additions & 1 deletion content/docs/usage/certificate.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,19 @@ spec:
usages:
- server auth
- client auth
# At least one of a DNS Name, URI, or IP address is required.
# At least one of a DNS Name, URI, IP address or otherName is required.
dnsNames:
- example.com
- www.example.com
uris:
- spiffe://cluster.local/ns/sandbox/sa/example
ipAddresses:
- 192.168.0.5
# Needs cert-manager 1.14+ and "OtherName" feature flag
otherNames:
# Should only supply oid of ut8 valued types
- oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID"
utf8Value: upn@example.local
# Issuer references are always required.
issuerRef:
name: ca-issuer
Expand Down