Adam Young wrote:
It is possible to generate a Certificate signing request from the
browser, if we use Mozilla specific code. I've mildly hacked the Mozilla
sample code to work with JQuery and to display the CSR to the screen,
instead of sending it right to the server.
I'd see this working something like this:
1. add the certificate attribute to the user plugin.
2. On the user page, if the principal of the user selected matches the
kerberos principal for the logged user, show the certificate control
3. The certificate control allows the user to request a new certificate.
4. If the user has a certificate, the certificate control allow the user
to download the certificate.
I have to look into the details, but the certificate shoud only be
useable by default in the browser that originally requested it. However,
it is fairly easy to export the certificate, along with the primary keys
that generated its CSR, such that it would be usable elsewhere: For
example https://ca.cern.ch/ca/Help/?kbid=040111
This seems like fairly simple to implement. We would not even have to
extend the API. We keep the certificate request separate from the user
until it is signed, and then add it to the user object. Thus it would be
created as a side effect of:
ipa cert-request --add [email protected] abradley.csr
Yes, CRMF is how we'll eventually add user certificate support, but this
is the easy part.
On the server side we need to add support for multiple certificate
profiles (your above request issues a server cert for the user abradley).
We also need a way to manage a queue of requests. User certificates are
a different beast from server certs and in many cases will require the
intervention of a security officer, or some other 3rd party verification.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
