URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file
jcholast commented: """ To continue the discussion from the mailing list: >> My point exactly - ca-show output should be equivalent to cert-show on the >> CA certificate, as far as the certificate and chain are concerned. >> > I reused `BaseCertObject.takes_params' and `BaseCertObject._parse' > to define the params and do most of the work. There is some overlap > with what `BaseCertObject' defines and fields of the `ca' LDAP > attribute so these are ignored/removed. What I actually meant is that `cert-show` should also have a `chain` option and `certificate_chain` param in the future, which should work the same as in `ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out of the scope of ticket 6178. >> I think I would prefer if the certificate was always returned by the server, >> but the chain only if --chain (or --all) is specified. >> >> Additionally, ca-add should also get the new options and do all of this. >> > I've implemented this. `--chain' implies `--all' but otherwise > remains a client-side only param. This does not scale well - if a new unrelated attribute is added to the CA LDAP entry, or if a new param is added to the CA object, `--chain` will imply retrieving them, which is not something we want. It should really be the other way around and `--all` should imply `--chain`, which also means `--chain` has to be defined on the server side. >> Generator expressions are generally preferred over map(): >> >> data = '\n'.join(to_pem(der) for der in ders) >> > Preferred by whom? ;) Pythonistas, I believe :) """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262916556
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
