[Freeipa-devel] [PATCH] 304 hosts requesting certificates
Jason Gerard DeRose
jderose at redhat.com
Tue Nov 3 08:20:13 UTC 2009
On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote:
> I had originally implemented allowing a host to request certificates for
> other hosts using the requesting IP address. That was a pretty lousy way
> to do it.
>
> This patch uses the DS ACI system instead. We came up with a clever ACI
> that lets hosts listed in the managedBy attribute in the service modify
> the userCertificate attribute. So you can use this to delegate which
> hosts can request certificates for which services, even for other machines.
>
> I also re-ordered the request_certificate() method a bit. We want all
> the service work done before we do the certificate request. It was
> previously adding the service after the cert request was done. This
> could mean a failed request if the requestor isn't allowed to add
> services. But it is also too late because the cert had already been issued.
>
> I documented how this works a bit at
> http://www.freeipa.org/page/Certificate_Authority
>
> rob
I'm having problems applying this patch:
error: install/share/60basev2.ldif: patch does not apply
More information about the Freeipa-devel
mailing list