URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

jcholast commented:
To continue the discussion from the mailing list:

>> My point exactly - ca-show output should be equivalent to cert-show on the
>> CA certificate, as far as the certificate and chain are concerned.
> I reused `BaseCertObject.takes_params' and `BaseCertObject._parse'
> to define the params and do most of the work.  There is some overlap
> with what `BaseCertObject' defines and fields of the `ca' LDAP
> attribute so these are ignored/removed.

What I actually meant is that `cert-show` should also have a `chain` option and 
`certificate_chain` param in the future, which should work the same as in 
`ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out 
of the scope of ticket 6178.

>> I think I would prefer if the certificate was always returned by the server,
>> but the chain only if --chain (or --all) is specified.
>> Additionally, ca-add should also get the new options and do all of this.
> I've implemented this.  `--chain' implies `--all' but otherwise
> remains a client-side only param.

This does not scale well - if a new unrelated attribute is added to the CA LDAP 
entry, or if a new param is added to the CA object, `--chain` will imply 
retrieving them, which is not something we want. It should really be the other 
way around and `--all` should imply `--chain`, which also means `--chain` has 
to be defined on the server side.

>> Generator expressions are generally preferred over map():
>>     data = '\n'.join(to_pem(der) for der in ders)
> Preferred by whom? ;)

Pythonistas, I believe :)

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to