Title: #177: Add options to write lightweight CA cert or chain to file
To continue the discussion from the mailing list:
>> My point exactly - ca-show output should be equivalent to cert-show on the
>> CA certificate, as far as the certificate and chain are concerned.
> I reused `BaseCertObject.takes_params' and `BaseCertObject._parse'
> to define the params and do most of the work. There is some overlap
> with what `BaseCertObject' defines and fields of the `ca' LDAP
> attribute so these are ignored/removed.
What I actually meant is that `cert-show` should also have a `chain` option and
`certificate_chain` param in the future, which should work the same as in
`ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out
of the scope of ticket 6178.
>> I think I would prefer if the certificate was always returned by the server,
>> but the chain only if --chain (or --all) is specified.
>> Additionally, ca-add should also get the new options and do all of this.
> I've implemented this. `--chain' implies `--all' but otherwise
> remains a client-side only param.
This does not scale well - if a new unrelated attribute is added to the CA LDAP
entry, or if a new param is added to the CA object, `--chain` will imply
retrieving them, which is not something we want. It should really be the other
way around and `--all` should imply `--chain`, which also means `--chain` has
to be defined on the server side.
>> Generator expressions are generally preferred over map():
>> data = '\n'.join(to_pem(der) for der in ders)
> Preferred by whom? ;)
Pythonistas, I believe :)
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code