On 20.5.2014 08:28, Martin Kosek wrote:
Hi there,

I checked the update CA Certificate renewal feature design page and one part
seemed awkward to me:

http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store

IIUC, when there are multiple iterations of a certificate stored, there will be
one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
attributes, ipaKeyTrust, ...

Given that LDAP does not guarantee order, how do I identify which cACertificate
belongs to which attribute?

There is no such relation, ipaKey* attributes apply to all of the cACertificate attributes.


If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
returned, how do I find out which certificate it is? Do I need to go through
all binary blobs, parse them and look which blob matches?

No.


Wouldn't it be better to have just one LDAP entry with one blob, one
ipaKeyUsage, ...? I think it would be then much easier manipulated, LDAP-wise.
Maybe we could store certificates with a timestamp like following?

cn=auditCert-20130520,cn=certificates,cn=ipa,cn=etc,suffix
...

cn=auditCert-20140520,cn=certificates,cn=ipa,cn=etc,suffix
...

Would it be easier to manipulate?


No.

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to