[Freeipa-devel] Is CA certificate storage correct?
Jan Cholasta
jcholast at redhat.com
Wed Jun 4 16:34:19 UTC 2014
On 23.5.2014 16:36, Martin Kosek wrote:
> On 05/20/2014 11:16 AM, Jan Cholasta wrote:
>> On 20.5.2014 08:28, Martin Kosek wrote:
>>> Hi there,
>>>
>>> I checked the update CA Certificate renewal feature design page and one part
>>> seemed awkward to me:
>>>
>>> http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
>>>
>>> IIUC, when there are multiple iterations of a certificate stored, there will be
>>> one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
>>> attributes, ipaKeyTrust, ...
>>>
>>> Given that LDAP does not guarantee order, how do I identify which cACertificate
>>> belongs to which attribute?
>>
>> There is no such relation, ipaKey* attributes apply to all of the cACertificate
>> attributes.
>>
>>>
>>> If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
>>> returned, how do I find out which certificate it is? Do I need to go through
>>> all binary blobs, parse them and look which blob matches?
>>
>> No.
>
> Could you then please state some example in
>
> http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
>
> with more than one cACertificate;binary? I think it would greatly help
> understand the relation of the new schema attributes and cACertificate. As you
> can see, it may be pretty confusing.
Updated the design page. Hopefully it's clearer now.
>
> Martin
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list