On Tue, 2015-12-15 at 16:23 +0100, Martin Kosek wrote: > On 12/15/2015 08:54 AM, Jan Cholasta wrote: > > Hi, > > > > recently I and David discussed the direction of installers with regard to > > requesting certificates. Currently there are four (!) different ways of > > requesting certificates in the installer . We would like to > > reduce > > it to one. > > > > Since all the certificates are tracked by certmonger and certmonger already > > knows how to request certificates from Dogtag (and other CAs), we believe > > that > > all certificates should be requested using certmonger. > > > > Taking our meditation further, we thought "Why not use certmonger for the > > cert-request command as well?" What is the benefit, do you ask? > > > > a) single code path for requesting certificates (seriously, the current > > state > > is ridiculous) > > > > b) use any CA supported by certmonger as the IPA CA (i.e. Let's Encrypt > > , > > once certmonger gains support for it) > > > > c) automate external CA install, using any CA supported by certmonger  > > > > d) support multiple different CAs at once (generalization of the Sub-CA > > feature) > > > > e) uniform configuration on clients (configure once, use forever, even for > > CA-less) > > > > The idea is to store configuration for the different CAs in LDAP and have > > cert-request redirect requests to a proper CA helper according to that > > configuration. This would require a new certmonger D-Bus method to call a CA > > helper without associated certificate storage, but that should be rather > > easy > > to add. In return, it would be possible to do all of the above. > > > > Note that this should not conflict with tighter integration with Dogtag > > (profiles, ACLs, etc.). > > > > Comments are welcome. > > > > Honza > > > >  > > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipapython/certmonger.py#n305> > >  > > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/certs.py#n329> > > > >  > > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/certs.py#n355> > > > >  > > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/cainstance.py#n878> > > > >  <https://fedorahosted.org/freeipa/ticket/5431> > >  <https://fedorahosted.org/freeipa/ticket/5317> > > Interesting idea! I would be definitely interested to hear what Fraser, Rob or > Simo thinks here.
Sounds great to me in principle. How do you handle CAs that do not have automatic workflows for csr handling ? That's the reason we did the 2 step process (in reference to ) Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code