URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

HonzaCholasta commented:
@LiptonB, I think certificate profiles and CSR generation profiles / templates 
*should* be associated, but not by sharing the same logical `certprofile` 
object, as it creates an unwarranted dependency on Dogtag. Instead CSR 
templates should be represented by their own dedicated objects separate from 
`certprofile` objects, which can contain a reference to the default CSR 
template object. This way it will be possible to extend `cert-request` as you 
described, but it will also be possible to generate a CSR and submit it to an 
external CA, even in CA-less IPA deployment.

As for `userCert`, removing just the dogtag profile but keeping the CSR 
template is exactly what I meant.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to