On 07/07/2016 03:16 PM, Rob Crittenden wrote:
Sebastian Hetze wrote:
Hi *
attached you find a patch that adds new options --subject_cn and
--subject_mail to ipa-server-install that make the CA cert subject CN
customizable.
This patch has been tested by a customer in a PoC.
However, i assume additional testing in different environments is
required.
It would be greatly appreciated if this patch would find its way into
the product very soon.
I don't see the advantage of passing around the subject_rdn along with
the base. Why not pre-combine them into a DN?
Similarly, I think I'd drop storing the subject base and RDN and just
store just the DN. I don't think there would be any backwards compat
issues as this would only apply to new installs.
I think this would explode the number of options as users request
additional attributes for the subject (OU, C, etc). Might be better to
make the user pass in a full DN if they want to manage the CA subject. I
don't know if any validation would be required for dogtag (e.g. is there
a minimum set of components needed?)
+1, IMO using e.g., --subject="e=mail,cn=Something,O=REALM.NAME" is
better. But IPA should validate it properly to disallow anything not
usable by dogtag.
Adding Fraser for the dogtag part.
rob
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
