[Freeipa-devel] Re: Certificate enrollment, principal names
Nalin Dahyabhai
nalin at redhat.com
Thu Nov 5 15:28:39 UTC 2009
On Wed, Nov 04, 2009 at 09:44:09PM -0800, Andrew Wnuk wrote:
> Passing entire CSR as a parameter to ipa command could avoided if
> XML-RPC framework would provide pre and post processing callbacks on
> the client side. Parameters could be used to describe CSR (instead of
> passing entire CSR), pre-processing callback could generate CSR based
> on provided description, then XML-RPC call could submit generated CSR
> and finally post-processing callback could properly place obtained
> certificate.
The CSR is usually signed with the client's key, so we can't generate it
at the server (unless we're doing server-side key generation, which I
don't think we're doing yet).
We could pass a public key by itself with other bits of info alongside,
but then you lose the signing of it. In the general case, you really
want the client-supplied data to be signed if the approval process is
going to use any of it.
Besides, CSRs are just how this stuff's done, and the reformatting at
the client end can be done with an awk script. I don't want to add more
work for ourselves by trying to change that part of it.
Cheers,
Nalin
More information about the Freeipa-devel
mailing list