Marc Schlinger wrote:
Adding support for other profiles is possible but would require
changes in both the IPA RA backend and in the IPA cert plugin. If
you'd be interested in pursuing that I can give some guidance on how
that might be done.
Yes, I'm interested, I will need this feature soon in order to generate,
"software" client cert among others things.
Ok, this is sort of off the top of my head but it should point you in
the right direction.
There are two things that need to change. You need a way to specify the
profile when requesting the cert on the client side (using the ipa
command) and on the server for requesting the right profile.
I would add a --profile or --type argument to takes_options in
cert_request(), something like:
values=(u'user', u'service', u'specialservice'),
Next you need to tell the backend what to do with this. Update
ipaserver/plugins/dogtag.py to look something like:
def request_certificate(self, csr, request_type='pkcs10', type=u'service'):
I would add a dictionary somewhere in here that defines something like:
profile_types = (u'user': 'caUserCert', u'service': 'caIPAserviceCert',
Then change the call that actually submits the request:
This only gets you part of the way. Currently it is hardcoded in
ipalib/plugins/cert.py that we request only service certificates,
requiruing a service principal to make a request. The resulting
certificate is stored within that principal. You'd have to do something
differently for other cert types.
Freeipa-users mailing list