On 12/15/2015 08:54 AM, Jan Cholasta wrote:
> recently I and David discussed the direction of installers with regard to
> requesting certificates. Currently there are four (!) different ways of
> requesting certificates in the installer . We would like to reduce
> it to one.
> Since all the certificates are tracked by certmonger and certmonger already
> knows how to request certificates from Dogtag (and other CAs), we believe that
> all certificates should be requested using certmonger.
> Taking our meditation further, we thought "Why not use certmonger for the
> cert-request command as well?" What is the benefit, do you ask?
> a) single code path for requesting certificates (seriously, the current state
> is ridiculous)
> b) use any CA supported by certmonger as the IPA CA (i.e. Let's Encrypt ,
> once certmonger gains support for it)
> c) automate external CA install, using any CA supported by certmonger 
> d) support multiple different CAs at once (generalization of the Sub-CA
> e) uniform configuration on clients (configure once, use forever, even for
> The idea is to store configuration for the different CAs in LDAP and have
> cert-request redirect requests to a proper CA helper according to that
> configuration. This would require a new certmonger D-Bus method to call a CA
> helper without associated certificate storage, but that should be rather easy
> to add. In return, it would be possible to do all of the above.
> Note that this should not conflict with tighter integration with Dogtag
> (profiles, ACLs, etc.).
> Comments are welcome.
>  <https://fedorahosted.org/freeipa/ticket/5431>
>  <https://fedorahosted.org/freeipa/ticket/5317>
Interesting idea! I would be definitely interested to hear what Fraser, Rob or
Simo thinks here.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code