On 03/27/2013 05:09 PM, Rob Crittenden wrote:
Well, I don't like how PEM file duplicates an unnecessary amount of
information (the whole certificate). Also, copy-pasting subject might be
faster than exporting certificate in PEM and uploading it to the
We're talking a one-time operation. I don't think it's asking too much.
It also gives the user some amount of control rather than assuming that
whatever tool their using to create the PKCS#12 file is also smart
enough to include the right CAs.
Well, to be fair, if there are any intermediate CAs, they need to be in
the PKCS#12. (In the future there may be support for multiple root CAs,
which would all get explicit trust. Those would all go in the PEM, so
intermediate ones must be somewhere else -- in the PKCS#12.)
Anyway I think it's unlikely that everybody will have the certs in the
right format for IPA by default, whatever that format is.
Honza has a point, but... If one solution is clearly better (in terms of
best/common practices in organizations this feature is for), I'm happy
to change it. Otherwise let's paint the bikeshed with the color I have
I don't want to check the subject because this RFE was prompted by IPA's
normal CA rejecting valid wildcart certs. Is there a reasonable way to
ask NSS if it will trust the cert? If there is I can put it in, but I
don't want to re-create the validation.
I'm not sure TBH. Maybe someone with more NSS experience could answer
certutil -V -u V will do it.
The usage is already checked -- and with this command, too :)
The problem here is hostname validation.
I don't think it would be onerous to assure that either the FQDN is in
the CN or it is a '*'. python-nss has fairly easy ways to grab the
subject out of a cert for this comparison.
The code checks for the whole cert chain, and that's there only one
server cert. Does that not work?
Actually I didn't check this specifically. But, I used a server
certificate with wrong subject and that made ipa-server-install fail.
One of the many cases that we will need to handle.
I found that python-nss has a verify_hostname call. I'll add it.
Freeipa-devel mailing list