Re: [Freeipa-devel] Is CA certificate storage correct?
On 23.5.2014 16:36, Martin Kosek wrote: On 05/20/2014 11:16 AM, Jan Cholasta wrote: On 20.5.2014 08:28, Martin Kosek wrote: Hi there, I checked the update CA Certificate renewal feature design page and one part seemed awkward to me: http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store IIUC, when there are multiple iterations of a certificate stored, there will be one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage attributes, ipaKeyTrust, ... Given that LDAP does not guarantee order, how do I identify which cACertificate belongs to which attribute? There is no such relation, ipaKey* attributes apply to all of the cACertificate attributes. If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record returned, how do I find out which certificate it is? Do I need to go through all binary blobs, parse them and look which blob matches? No. Could you then please state some example in http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store with more than one cACertificate;binary? I think it would greatly help understand the relation of the new schema attributes and cACertificate. As you can see, it may be pretty confusing. Updated the design page. Hopefully it's clearer now. Martin -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Is CA certificate storage correct?
On 05/20/2014 11:16 AM, Jan Cholasta wrote: On 20.5.2014 08:28, Martin Kosek wrote: Hi there, I checked the update CA Certificate renewal feature design page and one part seemed awkward to me: http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store IIUC, when there are multiple iterations of a certificate stored, there will be one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage attributes, ipaKeyTrust, ... Given that LDAP does not guarantee order, how do I identify which cACertificate belongs to which attribute? There is no such relation, ipaKey* attributes apply to all of the cACertificate attributes. If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record returned, how do I find out which certificate it is? Do I need to go through all binary blobs, parse them and look which blob matches? No. Could you then please state some example in http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store with more than one cACertificate;binary? I think it would greatly help understand the relation of the new schema attributes and cACertificate. As you can see, it may be pretty confusing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Is CA certificate storage correct?
On 20.5.2014 08:28, Martin Kosek wrote: Hi there, I checked the update CA Certificate renewal feature design page and one part seemed awkward to me: http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store IIUC, when there are multiple iterations of a certificate stored, there will be one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage attributes, ipaKeyTrust, ... Given that LDAP does not guarantee order, how do I identify which cACertificate belongs to which attribute? There is no such relation, ipaKey* attributes apply to all of the cACertificate attributes. If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record returned, how do I find out which certificate it is? Do I need to go through all binary blobs, parse them and look which blob matches? No. Wouldn't it be better to have just one LDAP entry with one blob, one ipaKeyUsage, ...? I think it would be then much easier manipulated, LDAP-wise. Maybe we could store certificates with a timestamp like following? cn=auditCert-20130520,cn=certificates,cn=ipa,cn=etc,suffix ... cn=auditCert-20140520,cn=certificates,cn=ipa,cn=etc,suffix ... Would it be easier to manipulate? No. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel