[Freeipa-devel] Re: Certificate enrollment, principal names

Nalin Dahyabhai nalin at redhat.com
Thu Nov 5 17:04:43 UTC 2009 

On Thu, Nov 05, 2009 at 10:39:00AM -0500, Dmitri Pal wrote:
> This is not what Andrew was saying.
> As far as I understand the CSR is a blob of signed information that
> client sends to server
> to get a certificate. The CSR needs to be created somehow. I do not know
> how it is created
> but it seems that there are two steps:
> * create CSR
> * pass CSR to the command
> 
> Andrew suggested to do it in one step (and I agree with him).
> However we have two different use cases:
> * Admin wants to create a cert - in this case our standard CLI is called
> (and the discussion about hooks
> is related to this part)
> *  Certmonger asks for cert -in this case it does not use our standard
> XML-RPC framework but rather
> prepares the request itself and sends it over XML-RPC
> 
> So how do we do or plan to do it in each of the two use cases?
> It seems that the most user friendly approach would be to ask user for
> arguments,
> using these arguments generate CSR on the client and then pass it to the
> server.
> In both cases it should be done in one step by invoking other tools and
> utils (if any)
> needed to prepare CSR from within the command.
> 
> And I correct?

Yes, and that's what we do now -- when you tell certmonger you want a
certificate, it handles generating a CSR with the key you provide (or
one it generates and saves, if there isn't already one in the location
where you told it to look) and the settings you supply, or with default
settings if you don't provide any.  It then goes about the business of
getting a certificate, usually from a CA, using the CSR.  For IPA,
that's done with the XMLRPC call to the cert_request() method.

At the moment, we also have to send the principal name that we've
encoded into the CSR as a separate string parameter to the XMLRPC
request that we send to IPA.  If we find we need more info later, we'll
either need to add another argument to the request (and my reading of
the XMLRPC spec doesn't tell me if that's considered an incompatible
change or not) or teach the server to dig it out of the CSR.

Nalin

More information about the Freeipa-devel mailing list