Title: #337: Client-side CSR autogeneration (take 2)
@HonzaCholasta, I think I see what you mean about these templates not being
dependent on dogtag, and I'm fine with removing the `userCert` dogtag profile
from this PR if you don't think it's relevant. Is it ok to leave the `userCert`
CSR generation profile, as an example of what the tool can do?
So, do you mean we should no longer consider CSR generation profiles to be
associated with IPA profiles? In
https://github.com/LiptonB/freeipa/tree/local-cert-build I have code that
allows you to run `ipa cert-request --autogenerate --principal someserver
--profile-id caIPAserviceCert` and get a cert for the server back in one step.
It uses the `caIPAserviceCert` CSR profile to make a CSR that works with the
`caIPAserviceCert` IPA profile. So it seems to me that having the profiles
linked makes the cert generation experience simpler, and that was the original
way this feature was proposed to me. But, if you'd rather have them not be
linked, should I modify this command so the CSR profile is specified with a
separate flag from the IPA one?
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code