Re: [Freeipa-devel] [WIP] Automatic CSR generation - first steps

Wed, 06 Jul 2016 09:14:25 -0700 

I have added a few new features to the code, including:
- A new certificate profile for user certs
- Import and export of included mapping rules when certificate profiles are imported/exported The updated patches are at https://github.com/LiptonB/freeipa/pull/2/commits. 


I look forward to hearing your thoughts, either in the pull request or 
here on the mailing list.


Thanks,
Ben

On 06/27/2016 01:44 PM, Ben Lipton wrote:



My email client is playing tricks on me - 
https://github.com/LiptonB/freeipa/pull/2 is the correct link.



On 06/27/2016 01:14 PM, Ben Lipton wrote:

Hi,


I have implemented the core functionality of the automatic CSR 
generation design 
(http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation). 
The code (which should be considered a work in progress) is available 
at https://github.com/LiptonB/freeipa/pull/2, please take a look and 
let me know what you think!


First, a demo, then some notes:


[root@ipavm ~]# ipa cert-get-requestdata --principal 
host/hostname.ipadom.example.com --format openssl

    Debug output: [req]
prompt = no
distinguished_name = sec0
req_extensions = exts

[sec0]
CN=hostname.ipadom.example.com
O=IPADOM.EXAMPLE.COM

[sec1]
DNS=hostname.ipadom.example.com

[exts]
subjectAltName=@sec1



[root@ipavm ~]# ipa cert-get-requestdata --principal 
host/hostname.ipadom.example.com --format certutil
    Debug output: certutil -R -s 
CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN 
dns:hostname.ipadom.example.com



Notes:

- This is implemented using the four-level schema 
(http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A). 
I'm very interested in comments on improving the schema or the way I 
interact with it in the code.
- Only includes rules for one profile at the moment, and it's 
probably not one you'd use (it weirdly puts the FQDN in both Subject 
and SubjectAltName). Think of it as an example to show that 
extensions are supported.
- Right now, transformation rules are implemented in python. 
Migrating them to a scheme where rules are text-based and can be 
added at runtime is a future goal.







-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to