On 03/27/2013 05:09 PM, Rob Crittenden wrote:
Well, I don't like how PEM file duplicates an unnecessary amount of
information (the whole certificate). Also, copy-pasting subject might be
faster than exporting certificate in PEM and uploading it to the

We're talking a one-time operation. I don't think it's asking too much.
It also gives the user some amount of control rather than assuming that
whatever tool their using to create the PKCS#12 file is also smart
enough to include the right CAs.

Well, to be fair, if there are any intermediate CAs, they need to be in the PKCS#12. (In the future there may be support for multiple root CAs, which would all get explicit trust. Those would all go in the PEM, so intermediate ones must be somewhere else -- in the PKCS#12.)

Anyway I think it's unlikely that everybody will have the certs in the right format for IPA by default, whatever that format is. Honza has a point, but... If one solution is clearly better (in terms of best/common practices in organizations this feature is for), I'm happy to change it. Otherwise let's paint the bikeshed with the color I have ready :)

I don't want to check the subject because this RFE was prompted by IPA's
normal CA rejecting valid wildcart certs. Is there a reasonable way to
ask NSS if it will trust the cert? If there is I can put it in, but I
don't want to re-create the validation.

I'm not sure TBH. Maybe someone with more NSS experience could answer

certutil -V -u V will do it.

The usage is already checked -- and with this command, too :)
The problem here is hostname validation.

I don't think it would be onerous to assure that either the FQDN is in
the CN or it is a '*'. python-nss has fairly easy ways to grab the
subject out of a cert for this comparison.

The code checks for the whole cert chain, and that's there only one
server cert. Does that not work?

Actually I didn't check this specifically. But, I used a server
certificate with wrong subject and that made ipa-server-install fail.

One of the many cases that we will need to handle.

I found that python-nss has a verify_hostname call. I'll add it.


Freeipa-devel mailing list

Reply via email to