On 8.8.2016 06:34, Fraser Tweedale wrote:
Please review the attached patch with adds --certificate-out and
--certificate-chain-out options to `ca-show' command.
Note that --certificate-chain-out currently writes a bogus file due
to a bug in Dogtag that will be fixed in this week's build.
1) The client-side *-out options should be defined on the client side,
not on the server side.
2) I don't think there should be additional information included in
summary (and it definitely should not be multi-line). I would rather
inform the user via an error message when unable to write the files.
If you think there is an actual value in informing the user about
successfully writing the files, please use ipalib.messages for the job.
3) IMO a better format for the certificate chain than PKCS#7 would be
concatenated PEM, as that's the most commonly used format in IPA (in
installers, there are no cert chains in API commands ATM).
4) Over the wire, the certs should be DER-formatted, as that's the most
common wire format in other API commands.
5) What is the benefit in having the CA cert and the rest of the chain
separate? For end-entity certs it makes sense to separate the cert from
the CA chain, but for CA certs, you usually want the full chain, no?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code