Skip to content

Commit

Permalink
Merge pull request #1408 from wallrj/release-notes-tweaks-1
Browse files Browse the repository at this point in the history 
Improve OtherNames Release notes
  • Loading branch information
@jetstack-bot
jetstack-bot authored Feb 1, 2024
2 parents 9eb2a32 + c48e9f6 commit 8c1fce6
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
4 changes: 2 additions & 2 deletions content/docs/releases/release-notes/release-notes-1.14.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ The KeyUsage and BasicConstraints extensions will now be encoded as critical in

#### New X.509 Features

The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs,
The cert-manager [Certificate resource](../../usage/certificate.md##creating-certificate-resources) now allows you to [configure a subset of "Other Name" SANs](../../reference/api-docs.md#cert-manager.io/v1.OtherName),
which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37).

We specifically support any `otherName` type with a `UTF-8` value, such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [`sAMAccountName`](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties).
Expand All @@ -31,7 +31,7 @@ For example you can create certificates with this block in the spec:
- oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
utf8Value: [email protected]
```
The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates).
The feature is still in alpha stage and requires you to [enable the `OtherNames` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates).

#### New CA certificate Features

Expand Down
8 changes: 4 additions & 4 deletions content/docs/usage/certificate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Certificate resource
description: 'cert-manager usage: Certificates'
---

> **apiVersion:** cert-manager.io/v1
> **apiVersion:** cert-manager.io/v1
> **kind:** Certificate
<div style={{textAlign: "center"}}>
Expand Down Expand Up @@ -82,9 +82,9 @@ spec:
- spiffe://cluster.local/ns/sandbox/sa/example
ipAddresses:
- 192.168.0.5
# Needs cert-manager 1.14+ and "OtherName" feature flag
# Needs cert-manager 1.14+ and "OtherNames" feature flag
otherNames:
# Should only supply oid of ut8 valued types
# Should only supply oid of ut8 valued types
- oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID"
utf8Value: [email protected]
# Issuer references are always required.
Expand Down Expand Up @@ -312,7 +312,7 @@ spec:
ipRanges: ["10.10.0.0/24"]
```

Note that when used with cert-manager's built-in CA and SelfSigned Issuer, the SANs (DNS name, IP address, URI, and email address) are not checked with the certificate's own name constraints, and are not checked with any of name constraints contained in the chain of certificates the certificate belongs to.
Note that when used with cert-manager's built-in CA and SelfSigned Issuer, the SANs (DNS name, IP address, URI, and email address) are not checked with the certificate's own name constraints, and are not checked with any of name constraints contained in the chain of certificates the certificate belongs to.

The certificate may get issued successfully, but be rejected by clients during TLS handshakes.

Expand Down

0 comments on commit 8c1fce6

Please sign in to comment.