On 15.7.2016 07:05, Fraser Tweedale wrote:
On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
I am sharing now to make the approach clear and solicit feedback.
It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).
Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.
Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.
It does help to attach the patch, of course ^_^
IMO explicit is better than implicit, so instead of introducing
additional magic around --subject, I would rather add a new separate
option for specifying the CA subject name (I think --ca-subject, for
consistency with --ca-signing-algorithm).
By specifying the option you would override the default "CN=Certificate
Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
additional validation would be done to make sure the subject name meets
Dogtag's expectations. Actually, it might make sense to always do the
additional validation, to be able to print a warning that if a
Dogtag-incompatible subject name is used, it won't be possible to change
the CA cert chaining from externally signed to self-signed later.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code