On 20.5.2014 08:28, Martin Kosek wrote:
Hi there,

I checked the update CA Certificate renewal feature design page and one part
seemed awkward to me:


IIUC, when there are multiple iterations of a certificate stored, there will be
one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
attributes, ipaKeyTrust, ...

Given that LDAP does not guarantee order, how do I identify which cACertificate
belongs to which attribute?

There is no such relation, ipaKey* attributes apply to all of the cACertificate attributes.

If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
returned, how do I find out which certificate it is? Do I need to go through
all binary blobs, parse them and look which blob matches?


Wouldn't it be better to have just one LDAP entry with one blob, one
ipaKeyUsage, ...? I think it would be then much easier manipulated, LDAP-wise.
Maybe we could store certificates with a timestamp like following?



Would it be easier to manipulate?


Jan Cholasta

Freeipa-devel mailing list

Reply via email to