On 28/05/15 10:46, Martin Kosek wrote:
On 05/27/2015 06:12 PM, Martin Basti wrote:
On 27/05/15 15:53, Fraser Tweedale wrote:
This patch adds supports for multiple user / host certificates. No
schema change is needed ('usercertificate' attribute is already
multi-value). The revoke-previous-cert behaviour of host-mod and
user-mod has been removed but revocation behaviour of -del and
-disable is preserved.
The latest profiles/caacl patchset (0001..0013 v5) depends on this
patch for correct cert-request behaviour.
There is one design question (or maybe more, let me know): the
`--out=FILENAME' option to {host,service} show saves ONE certificate
to the named file. I propose to either:
a) write all certs, suffixing suggested filename with either a
sequential numerical index, e.g. "cert.pem" becomes
"cert.pem.1", "cert.pem.2", and so on; or
b) as above, but suffix with serial number and, if there are
different issues, some issuer-identifying information.
Let me know your thoughts.
Thanks,
Fraser
Is there a possible way how to store certificates into one file?
I read about possibilities to have multiple certs in one .pem file, but I'm not
cert guru :)
I personally vote for serial number in case there are multiple certificates, if
^ is no possible.
1)
+ if len(certs) > 0:
please use only,
if certs:
2)
You need to re-generate API/ACI.txt in this patch
3)
syntax error:
+ for dercert in certs_der
4)
command
ipa user-mod ca_user --certificate=<ceritifcate>
removes the current certificate from the LDAP, by design.
Should be the old certificate(s) revoked? You removed that part in the code.
Good question. I think the suggestion was to have a global switch in IPA global
config that would configure the policy - whether the certificates removed by
this command or by host-del or host-disable are revoked or if they are just
removed (my motivation is to avoid behavior regression in case somebody
depended on this behavior).
I would prefer to keep the current behavior: revoke the certificate if
it was replaced or removed, instead of adding an extra configuration option.
This behavior is not regression.
only the --addattr='usercertificate=<cert>' appends new value there
--
Martin Basti
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
