On 05/20/2014 11:16 AM, Jan Cholasta wrote:
> On 20.5.2014 08:28, Martin Kosek wrote:
>> Hi there,
>> I checked the update CA Certificate renewal feature design page and one part
>> seemed awkward to me:
>> http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
>> IIUC, when there are multiple iterations of a certificate stored, there will 
>> be
>> one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
>> attributes, ipaKeyTrust, ...
>> Given that LDAP does not guarantee order, how do I identify which 
>> cACertificate
>> belongs to which attribute?
> There is no such relation, ipaKey* attributes apply to all of the 
> cACertificate
> attributes.
>> If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
>> returned, how do I find out which certificate it is? Do I need to go through
>> all binary blobs, parse them and look which blob matches?
> No.

Could you then please state some example in


with more than one cACertificate;binary? I think it would greatly help
understand the relation of the new schema attributes and cACertificate. As you
can see, it may be pretty confusing.


Freeipa-devel mailing list

Reply via email to