URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

LiptonB commented:
@HonzaCholasta, I think I see what you mean about these templates not being 
dependent on dogtag, and I'm fine with removing the `userCert` dogtag profile 
from this PR if you don't think it's relevant. Is it ok to leave the `userCert` 
CSR generation profile, as an example of what the tool can do?

So, do you mean we should no longer consider CSR generation profiles to be 
associated with IPA profiles? In 
https://github.com/LiptonB/freeipa/tree/local-cert-build I have code that 
allows you to run `ipa cert-request --autogenerate --principal someserver 
--profile-id caIPAserviceCert` and get a cert for the server back in one step. 
It uses the `caIPAserviceCert` CSR profile to make a CSR that works with the 
`caIPAserviceCert` IPA profile. So it seems to me that having the profiles 
linked makes the cert generation experience simpler, and that was the original 
way this feature was proposed to me. But, if you'd rather have them not be 
linked, should I modify this command so the CSR profile is specified with a 
separate flag from the IPA one?

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to