On 15.7.2016 07:05, Fraser Tweedale wrote:
On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).

I am sharing now to make the approach clear and solicit feedback.

It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).

Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.

Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.


It does help to attach the patch, of course ^_^

IMO explicit is better than implicit, so instead of introducing additional magic around --subject, I would rather add a new separate option for specifying the CA subject name (I think --ca-subject, for consistency with --ca-signing-algorithm).

By specifying the option you would override the default "CN=Certificate Authority,$SUBJECT_BASE" subject name. If --external-ca was not used, additional validation would be done to make sure the subject name meets Dogtag's expectations. Actually, it might make sense to always do the additional validation, to be able to print a warning that if a Dogtag-incompatible subject name is used, it won't be possible to change the CA cert chaining from externally signed to self-signed later.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to