On 05/20/2014 11:16 AM, Jan Cholasta wrote:
> On 20.5.2014 08:28, Martin Kosek wrote:
>> Hi there,
>>
>> I checked the update CA Certificate renewal feature design page and one part
>> seemed awkward to me:
>>
>> http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
>>
>> IIUC, when there are multiple iterations of a certificate stored, there will 
>> be
>> one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
>> attributes, ipaKeyTrust, ...
>>
>> Given that LDAP does not guarantee order, how do I identify which 
>> cACertificate
>> belongs to which attribute?
> 
> There is no such relation, ipaKey* attributes apply to all of the 
> cACertificate
> attributes.
> 
>>
>> If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
>> returned, how do I find out which certificate it is? Do I need to go through
>> all binary blobs, parse them and look which blob matches?
> 
> No.

Could you then please state some example in

http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store

with more than one cACertificate;binary? I think it would greatly help
understand the relation of the new schema attributes and cACertificate. As you
can see, it may be pretty confusing.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to