On 8.6.2016 13:37, Pavel Vomacka wrote:



On 06/08/2016 01:21 PM, Pavel Vomacka wrote:



On 06/08/2016 05:15 AM, Fraser Tweedale wrote:
On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote:
On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote:
Hi team,

This patchset implements the 'ca' plugin for creating and managing
lightweight sub-CAs, and updates the 'caacl' plugin and
'cert-request' command to support multiple CAs.

A brief overview of the patches:

0059
  'ca' plugin, associated schema changes and container objects,
  Dogtag REST API wrapper
0060
  Add CA entry for the IPA CA on install/upgrade
0061
  Update 'caacl' plugin with CA support (including enforcement)
0062
  Update ra.request_certificate() to support specifying target CA
0063
  Add '--ca' option to 'cert-request' command
0064
  Add '--issuer' option to 'cert-find' command

These patches depend on other pending patches:

    0051, 0052, 0053, 0054, 0055, 0056

Signing key replication depends on unmerged Dogtag patches.  Builds
of Dogtag with the required patches, and of FreeIPA with all
completed sub-CAs work, should be available from my COPR soon:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/

Some parts of the design are not implemented in the current
patchset, including:

- local parent CA (ipaca object) references
- sub-CA certificate renewal
- 'cert-show' command '--ca=NAME' option
- certmonger support for specifying CA
- revocation of deleted CAs

I look forward to your reviews!

Thanks,
Fraser

Rebased and updated patches attached.

Substantive changes:

- add required attributes for issuer DN and subject DN
- prevent rename of IPA CA
- when adding IPA CA entry, contact Dogtag to learn authority id,
  issuer DN and subject DN
- add 'read_ca' method to Dogtag interface
- tighten ACIs to prevent modification of ipacaid attribute

Updated patch 0064-3; adds --issuer option to cert-show and --ca
option to cert-show and cert-find.


Hello,

why is there --rename option in ca-mod command? Shouldn't it be rather
--cn to be consistent with ca-show?
Actually, I meant to be consistent with attribute name in result of API
call of ca-show command.
Is there any reason why to have there rename? Just a note: I look at
it mainly from point of view of WebUI.

It is consistent with other mod commands, they all have --rename if the object is renameable. You can't use the primary key name (cn) because that's already taken by the positional argument of the show command.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to