Marc Schlinger wrote:

Adding support for other profiles is possible but would require changes in both the IPA RA backend and in the IPA cert plugin. If you'd be interested in pursuing that I can give some guidance on how that might be done.

rob

Yes, I'm interested, I will need this feature soon in order to generate, "software" client cert among others things.
Marc Schlinger

Ok, this is sort of off the top of my head but it should point you in the right direction.

There are two things that need to change. You need a way to specify the profile when requesting the cert on the client side (using the ipa command) and on the server for requesting the right profile.

I would add a --profile or --type argument to takes_options in cert_request(), something like:

StrEnum('type?',
        cli_name='type',
        label=_('Certificate type'),
        values=(u'user', u'service', u'specialservice'),
),

Next you need to tell the backend what to do with this. Update ipaserver/plugins/dogtag.py to look something like:

def request_certificate(self, csr, request_type='pkcs10', type=u'service'):

I would add a dictionary somewhere in here that defines something like:

profile_types = (u'user': 'caUserCert', u'service': 'caIPAserviceCert', u'specialservice': 'foo'}

Then change the call that actually submits the request:

self._sslget('/ca/ee/ca/profileSubmitSSLClient',
                         self.env.ca_ee_port,
                         profileId=profile_types[type],
                         cert_request_type=request_type,
                         cert_request=csr,
                         xml='true')

This only gets you part of the way. Currently it is hardcoded in ipalib/plugins/cert.py that we request only service certificates, requiruing a service principal to make a request. The resulting certificate is stored within that principal. You'd have to do something differently for other cert types.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to