On 8.8.2016 06:34, Fraser Tweedale wrote:
Please review the attached patch with adds --certificate-out and
--certificate-chain-out options to `ca-show' command.

Note that --certificate-chain-out currently writes a bogus file due
to a bug in Dogtag that will be fixed in this week's build.


1) The client-side *-out options should be defined on the client side, not on the server side.

2) I don't think there should be additional information included in summary (and it definitely should not be multi-line). I would rather inform the user via an error message when unable to write the files.

If you think there is an actual value in informing the user about successfully writing the files, please use ipalib.messages for the job.

3) IMO a better format for the certificate chain than PKCS#7 would be concatenated PEM, as that's the most commonly used format in IPA (in installers, there are no cert chains in API commands ATM).

4) Over the wire, the certs should be DER-formatted, as that's the most common wire format in other API commands.

5) What is the benefit in having the CA cert and the rest of the chain separate? For end-entity certs it makes sense to separate the cert from the CA chain, but for CA certs, you usually want the full chain, no?



Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to