Re: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

2016-06-06 Thread Petr Vobornik 
On 06/04/2016 02:17 AM, Fraser Tweedale wrote:
> On Fri, Jun 03, 2016 at 05:17:12PM +0200, Petr Vobornik wrote:
>> On 05/10/2016 04:52 PM, Pavel Vomacka wrote:
>>> Hi all,
>>>
>>> please review the patch for webUI which adds SAN names into 'Issue new
>>> certificate' dialog. The SAN names are mentioned only in dialogs for
>>> requesting for host and service certificate, according to the design page:
>>> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not
>>> sure whether this change provides enough information. If you think that
>>> we should add more information to these dialogs or even extend also
>>> dialog on Authentication -> Certificates page, just let me know.
>>>
>>
>> Should we also include SAN for user certs?
>>
>> E.g.:
>>   -7 emailAddrs
>>
>> Adding Fraser to loop...
>>
>> Otherwise the patch looks good.
>>
> We *could* add rfc822Name example for user certs, but I don't think
> we should.
> 
> Especially for user certs, we might as well hold off because the
> "CSR templates" feature is intended to relieve users of having to
> generate CSRs themselves.
> 

Thanks for the info Fraser.

ACK then.

master:
* 91ac959fe5df817e2322428acff392d735fa414e Extend the certificate
request dialog
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

2016-06-03 Thread Fraser Tweedale 
On Fri, Jun 03, 2016 at 05:17:12PM +0200, Petr Vobornik wrote:
> On 05/10/2016 04:52 PM, Pavel Vomacka wrote:
> > Hi all,
> > 
> > please review the patch for webUI which adds SAN names into 'Issue new
> > certificate' dialog. The SAN names are mentioned only in dialogs for
> > requesting for host and service certificate, according to the design page:
> > http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not
> > sure whether this change provides enough information. If you think that
> > we should add more information to these dialogs or even extend also
> > dialog on Authentication -> Certificates page, just let me know.
> > 
> 
> Should we also include SAN for user certs?
> 
> E.g.:
>   -7 emailAddrs
> 
> Adding Fraser to loop...
> 
> Otherwise the patch looks good.
>
We *could* add rfc822Name example for user certs, but I don't think
we should.

Especially for user certs, we might as well hold off because the
"CSR templates" feature is intended to relieve users of having to
generate CSRs themselves.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

2016-06-03 Thread Petr Vobornik 
On 05/10/2016 04:52 PM, Pavel Vomacka wrote:
> Hi all,
> 
> please review the patch for webUI which adds SAN names into 'Issue new
> certificate' dialog. The SAN names are mentioned only in dialogs for
> requesting for host and service certificate, according to the design page:
> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not
> sure whether this change provides enough information. If you think that
> we should add more information to these dialogs or even extend also
> dialog on Authentication -> Certificates page, just let me know.
> 

Should we also include SAN for user certs?

E.g.:
  -7 emailAddrs

Adding Fraser to loop...

Otherwise the patch looks good.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

2016-05-10 Thread Pavel Vomacka 

Hi all,

please review the patch for webUI which adds SAN names into 'Issue new 
certificate' dialog. The SAN names are mentioned only in dialogs for 
requesting for host and service certificate, according to the design page:
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not 
sure whether this change provides enough information. If you think that 
we should add more information to these dialogs or even extend also 
dialog on Authentication -> Certificates page, just let me know.


--
Pavel^3 Vomacka
From a711b4ff8628d5c097145f6afbb78d75a14a970b Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 25 Apr 2016 09:38:30 +0200
Subject: [PATCH] Extend the certificate request dialog

The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.

https://fedorahosted.org/freeipa/ticket/5645
---
 install/ui/src/freeipa/certificate.js | 9 +
 install/ui/test/data/ipa_init.json| 3 ++-
 ipalib/plugins/internal.py| 3 ++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index ae05ebb3d45974cd1df50c16e19d0ab9fd27a19b..c9e65dd81224d0119c1d9775382fdc885bc15438 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -716,10 +716,19 @@ IPA.cert.request_action = function(spec) {
 }
 
 var request_message = text.get('@i18n:objects.cert.request_message');
+var ext;
+if (facet.entity.name === 'service' || facet.entity.name === 'host') {
+ext = text.get('@i18n:objects.cert.request_message_san');
+}
+else {
+ext = '';
+}
+request_message = request_message.replace(/\$\{san\}/g, ext);
 request_message = request_message.replace(/\$\{cn_name\}/g, cn_name);
 request_message = request_message.replace(/\$\{cn\}/g, cn);
 request_message = request_message.replace(/\$\{realm\}/g, IPA.env.realm);
 
+
 var dialog = IPA.cert.request_dialog({
 title: title,
 message: request_message,
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 1b9b69ff909a9668c1e1867008459d25d5e062a9..5fe3680cc9ae439e616242eb3ccdd23429d7c848 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -261,7 +261,8 @@
 "privilege_withdrawn": "Privilege Withdrawn",
 "reason": "Reason for Revocation",
 "remove_from_crl": "Remove from CRL",
-"request_message": " Create a certificate database or use an existing one. To create a new database: # certutil -N -d   Create a CSR with subject CN=<${cn_name}>,O=, for example: # certutil -R -d  -a -g  -s 'CN=${cn},O=${realm}'   Copy and paste the CSR (from -BEGIN NEW CERTIFICATE REQUEST- to -END NEW CERTIFICATE REQUEST-) into the text area below:  ",
+"request_message": " Create a certificate database or use an existing one. To create a new database: # certutil -N -d   Create a CSR with subject CN=<${cn_name}>,O=, for example: # certutil -R -d  -a -g  -s 'CN=${cn},O=${realm}'${san}   Copy and paste the CSR (from -BEGIN NEW CERTIFICATE REQUEST- to -END NEW CERTIFICATE REQUEST-) into the text area below:  ",
+"request_message_san": " -8 '${cn}'",
 "requested": "Certificate requested",
 "restore_certificate": "Restore Certificate for ${entity} ${primary_key}",
 "restore_certificate_simple": "Restore Certificate",
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index 54871f76de99d92f0f23129b4d636cc4fccfbb8b..aa288788071994d4febea15f7827b737f9c28458 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -405,7 +405,8 @@ class i18n_messages(Command):
 "privilege_withdrawn": _("Privilege Withdrawn"),
 "reason": _("Reason for Revocation"),
 "remove_from_crl": _("Remove from CRL"),
-"request_message": _(" Create a certificate database or use an existing one. To create a new database: # certutil -N -d   Create a CSR with subject CN=<${cn_name}>,O=, for example: # certutil -R -d  -a -g  -s 'CN=${cn},O=${realm}'   Copy and paste the CSR (from -BEGIN NEW CERTIFICATE REQUEST- to -END NEW CERTIFICATE REQUEST-) into the text area below:  "),
+"request_message": _(" Create a certificate database or use an existing one. To create a new database: # certutil -N -d   Create a CSR with subject CN=<${cn_name}>,O=, for exa