On 05/27/2015 06:12 PM, Martin Basti wrote: > On 27/05/15 15:53, Fraser Tweedale wrote: >> This patch adds supports for multiple user / host certificates. No >> schema change is needed ('usercertificate' attribute is already >> multi-value). The revoke-previous-cert behaviour of host-mod and >> user-mod has been removed but revocation behaviour of -del and >> -disable is preserved. >> >> The latest profiles/caacl patchset (0001..0013 v5) depends on this >> patch for correct cert-request behaviour. >> >> There is one design question (or maybe more, let me know): the >> `--out=FILENAME' option to {host,service} show saves ONE certificate >> to the named file. I propose to either: >> >> a) write all certs, suffixing suggested filename with either a >> sequential numerical index, e.g. "cert.pem" becomes >> "cert.pem.1", "cert.pem.2", and so on; or >> >> b) as above, but suffix with serial number and, if there are >> different issues, some issuer-identifying information. >> >> Let me know your thoughts. >> >> Thanks, >> Fraser >> >> > Is there a possible way how to store certificates into one file? > I read about possibilities to have multiple certs in one .pem file, but I'm > not > cert guru :) > > I personally vote for serial number in case there are multiple certificates, > if > ^ is no possible. > > > 1) > + if len(certs) > 0: > > please use only, > if certs: > > 2) > You need to re-generate API/ACI.txt in this patch > > 3) > syntax error: > + for dercert in certs_der > > > 4) > command > ipa user-mod ca_user --certificate=<ceritifcate> > > removes the current certificate from the LDAP, by design. > Should be the old certificate(s) revoked? You removed that part in the code.
Good question. I think the suggestion was to have a global switch in IPA global config that would configure the policy - whether the certificates removed by this command or by host-del or host-disable are revoked or if they are just removed (my motivation is to avoid behavior regression in case somebody depended on this behavior). > > only the --addattr='usercertificate=<cert>' appends new value there > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code