URL: https://github.com/freeipa/freeipa/pull/337 Title: #337: Client-side CSR autogeneration (take 2)
LiptonB commented: """ @HonzaCholasta, I think I see what you mean about these templates not being dependent on dogtag, and I'm fine with removing the `userCert` dogtag profile from this PR if you don't think it's relevant. Is it ok to leave the `userCert` CSR generation profile, as an example of what the tool can do? So, do you mean we should no longer consider CSR generation profiles to be associated with IPA profiles? In https://github.com/LiptonB/freeipa/tree/local-cert-build I have code that allows you to run `ipa cert-request --autogenerate --principal someserver --profile-id caIPAserviceCert` and get a cert for the server back in one step. It uses the `caIPAserviceCert` CSR profile to make a CSR that works with the `caIPAserviceCert` IPA profile. So it seems to me that having the profiles linked makes the cert generation experience simpler, and that was the original way this feature was proposed to me. But, if you'd rather have them not be linked, should I modify this command so the CSR profile is specified with a separate flag from the IPA one? """ See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-274712673
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code