Hi,

I have implemented the core functionality of the automatic CSR generation design (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation). The code (which should be considered a work in progress) is available at https://github.com/LiptonB/freeipa/pull/2, please take a look and let me know what you think!


First, a demo, then some notes:

[root@ipavm ~]# ipa cert-get-requestdata --principal host/hostname.ipadom.example.com --format openssl
    Debug output: [req]
prompt = no
distinguished_name = sec0
req_extensions = exts

[sec0]
CN=hostname.ipadom.example.com
O=IPADOM.EXAMPLE.COM

[sec1]
DNS=hostname.ipadom.example.com

[exts]
subjectAltName=@sec1


[root@ipavm ~]# ipa cert-get-requestdata --principal host/hostname.ipadom.example.com --format certutil Debug output: certutil -R -s CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN dns:hostname.ipadom.example.com


Notes:
- This is implemented using the four-level schema (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A). I'm very interested in comments on improving the schema or the way I interact with it in the code. - Only includes rules for one profile at the moment, and it's probably not one you'd use (it weirdly puts the FQDN in both Subject and SubjectAltName). Think of it as an example to show that extensions are supported. - Right now, transformation rules are implemented in python. Migrating them to a scheme where rules are text-based and can be added at runtime is a future goal.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to