On Thu, May 18, 2017 at 07:17:51AM +0200, Jan Cholasta wrote: > Hi Fraser, > > On 18.5.2017 02:26, Fraser Tweedale wrote: > > Hi all, > > > > I'm going to start work on [1] soon. This ticket is to add support > > for specifying the desired template (profile) name or OID to use > > when installing IPA with AD-CS as the external CA. Currently, the > > template name is hardcoded to "SubCA", which is the default sub-CA > > template in AD-CS. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1427105 > > > > This is actually not much work. The most difficult part is to > > ensure that the CSR extension is properly populated when renewing. > > > > But I first want to have a discussion here about the user > > experience. > > > > My first thought was to have a scheme like: > > > > --external-ca-type=ms-ca,MyTemplateName # template name > > --external-ca-type=ms-ca,123.456.21348.13 # template OID > > --external-ca-type=ms-ca,123.456.21348.13,101 # template OID + > > major version no > > --external-ca-type=ms-ca,123.456.21348.13,101,6 # template OID + > > major version no + minor version no > > > > But because --external-ca-type is a Enum knob, I'm not inclined to > > extend it. > > +1 > > > Instead, I think I will add another option for > > specifying these data, e.g. > > > > --external-ca-parameters=MyTemplateName > > --external-ca-parameters=123.456.21348.13,101,6 > > > > The interpretation of the parameters shall depend on the external CA > > type. For 'generic', they are ignored. For 'ms-ca', the > > aforementioned interpretation is used. > > I would prefer a simple --external-ca-profile option rather than a complex > --external-ca-parameters "god" option with differing behavior based on CA > type, as the former will continue to work nicely when external CA install is > handled using certmonger. > Fair enough. My only (minor) concern is the different terminology ("profile" vs "template"). Also if other kinds of options are needed in future, we'd need yet another option for that, but we don't need to worry about that now :)
So I will add --external-ca-profile. Thanks for your feedback. Cheers, Fraser > > > > ipa-server-install, ipa-ca-install, and ipa-cacert-manage would > > learn the new option. > > > > Any thoughts/feedback? > > Honza > > -- > Jan Cholasta _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
