On 07/07/2016 03:16 PM, Rob Crittenden wrote:
Sebastian Hetze wrote:
Hi *

attached you find a patch that adds new options --subject_cn and
--subject_mail to ipa-server-install that make the CA cert subject CN
customizable.

This patch has been tested by a customer in a PoC.
However, i assume additional testing in different environments is
required.

It would be greatly appreciated if this patch would find its way into
the product very soon.

I don't see the advantage of passing around the subject_rdn along with
the base. Why not pre-combine them into a DN?

Similarly, I think I'd drop storing the subject base and RDN and just
store just the DN. I don't think there would be any backwards compat
issues as this would only apply to new installs.

I think this would explode the number of options as users request
additional attributes for the subject (OU, C, etc). Might be better to
make the user pass in a full DN if they want to manage the CA subject. I
don't know if any validation would be required for dogtag (e.g. is there
a minimum set of components needed?)

+1, IMO using e.g., --subject="e=mail,cn=Something,O=REALM.NAME" is better. But IPA should validate it properly to disallow anything not usable by dogtag.

Adding Fraser for the dogtag part.


rob


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to