Re: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs

Wed, 08 Jun 2016 04:38:55 -0700 


On 06/08/2016 01:21 PM, Pavel Vomacka wrote:




On 06/08/2016 05:15 AM, Fraser Tweedale wrote:

On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote:

On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote:

Hi team,

This patchset implements the 'ca' plugin for creating and managing
lightweight sub-CAs, and updates the 'caacl' plugin and
'cert-request' command to support multiple CAs.

A brief overview of the patches:

0059
   'ca' plugin, associated schema changes and container objects,
   Dogtag REST API wrapper
0060
   Add CA entry for the IPA CA on install/upgrade
0061
   Update 'caacl' plugin with CA support (including enforcement)
0062
   Update ra.request_certificate() to support specifying target CA
0063
   Add '--ca' option to 'cert-request' command
0064
   Add '--issuer' option to 'cert-find' command

These patches depend on other pending patches:

     0051, 0052, 0053, 0054, 0055, 0056

Signing key replication depends on unmerged Dogtag patches.  Builds
of Dogtag with the required patches, and of FreeIPA with all
completed sub-CAs work, should be available from my COPR soon:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/

Some parts of the design are not implemented in the current
patchset, including:

- local parent CA (ipaca object) references
- sub-CA certificate renewal
- 'cert-show' command '--ca=NAME' option
- certmonger support for specifying CA
- revocation of deleted CAs

I look forward to your reviews!

Thanks,
Fraser


Rebased and updated patches attached.

Substantive changes:

- add required attributes for issuer DN and subject DN
- prevent rename of IPA CA
- when adding IPA CA entry, contact Dogtag to learn authority id,
   issuer DN and subject DN
- add 'read_ca' method to Dogtag interface
- tighten ACIs to prevent modification of ipacaid attribute


Updated patch 0064-3; adds --issuer option to cert-show and --ca
option to cert-show and cert-find.



Hello,


why is there --rename option in ca-mod command? Shouldn't it be rather 
--cn to be consistent with ca-show? 

Actually, I meant to be consistent with attribute name in result of API 
call of ca-show command.

Is there any reason why to have there rename? Just a note: I look at 
it mainly from point of view of WebUI.


--
Pavel^3 Vomacka





-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to