Fraser, Continuing the discussion started previously, the question is whether IPA should check for the presence of certain extensions.
There seem to be two kinds of problems which could be encountered here: 1. User could include a CSR which includes an extension that is not valid for the profile. 2. User could include data for an extension that is invalid. The original allowed extensions check attempted to address problem (1) by allowing only extensions that were valid for the small set of profiles used by IPA. Now that custom profiles are available, though, this is no longer sufficient. I do believe that it would be useful to provide the user with feedback if a particular extension is not supported by the profile when the CSR is submitted to IPA. This should most likely be a non-fatal notification, because the CA will end up ignoring the extension. With the Dogtag profile API, it is possible to enumerate the extensions that are included in a cert for a particular profile. Couldn't this data be used as the basis for this check? For problem (2), although some validation could be done in IPA, this is most probably something that should be left to Dogtag itself. I believ e the error reporting from Dogtag has been sufficiently improved so that these types of validation errors would be reported back to IPA. Ade On Thu, 2015-08-13 at 15:54 +1000, Fraser Tweedale wrote: > The attached patch fixes > https://fedorahosted.org/freeipa/ticket/5205 > > Thanks, > Fraser > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code