[Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates

Martin Basti mbasti at redhat.com
Tue Jun 2 10:36:03 UTC 2015 

On 02/06/15 11:42, Fraser Tweedale wrote:
> On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote:
>> On 01/06/15 06:40, Fraser Tweedale wrote:
>>> New version of patch; ``{host,service}-show --out=FILE`` now writes
>>> all certs to FILE.  Rebased on latest master.
>>>
>>> Thanks,
>>> Fraser
>>>
>>> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote:
>>>> Updated patch attached.  Notably restores/adds revocation behaviour
>>>> to host-mod and service-mod.
>>>>
>>>> Thanks,
>>>> Fraser
>>>>
>>>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote:
>>>>> On 27/05/15 15:53, Fraser Tweedale wrote:
>>>>>> This patch adds supports for multiple user / host certificates.  No
>>>>>> schema change is needed ('usercertificate' attribute is already
>>>>>> multi-value).  The revoke-previous-cert behaviour of host-mod and
>>>>>> user-mod has been removed but revocation behaviour of -del and
>>>>>> -disable is preserved.
>>>>>>
>>>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this
>>>>>> patch for correct cert-request behaviour.
>>>>>>
>>>>>> There is one design question (or maybe more, let me know): the
>>>>>> `--out=FILENAME' option to {host,service} show saves ONE certificate
>>>>>> to the named file.  I propose to either:
>>>>>>
>>>>>> a) write all certs, suffixing suggested filename with either a
>>>>>>     sequential numerical index, e.g. "cert.pem" becomes
>>>>>>     "cert.pem.1", "cert.pem.2", and so on; or
>>>>>>
>>>>>> b) as above, but suffix with serial number and, if there are
>>>>>>     different issues, some issuer-identifying information.
>>>>>>
>>>>>> Let me know your thoughts.
>>>>>>
>>>>>> Thanks,
>>>>>> Fraser
>>>>>>
>>>>>>
>>>>> Is there a possible way how to store certificates into one file?
>>>>> I read about possibilities to have multiple certs in one .pem file, but I'm
>>>>> not cert guru :)
>>>>>
>>>>> I personally vote for serial number in case there are multiple certificates,
>>>>> if ^ is no possible.
>>>>>
>>>>>
>>>>> 1)
>>>>> +            if len(certs) > 0:
>>>>>
>>>>> please use only,
>>>>> if certs:
>>>>>
>>>>> 2)
>>>>> You need to re-generate API/ACI.txt in this patch
>>>>>
>>>>> 3)
>>>>> syntax error:
>>>>> +        for dercert in certs_der
>>>>>
>>>>>
>>>>> 4)
>>>>> command
>>>>> ipa user-mod ca_user --certificate=<ceritifcate>
>>>>>
>>>>> removes the current certificate from the LDAP, by design.
>>>>> Should be the old certificate(s) revoked? You removed that part in the code.
>>>>>
>>>>> only the --addattr='usercertificate=<cert>' appends new value there
>>>>>
>>>>> -- 
>>>>> Martin Basti
>>>>>
>> My objections/proposed solutions in attached patch.
>>
>> * VERSION
>> * In the previous version normalized values was stored in LDAP, so I added
>> it back.  (I dont know why there is no normalization in param settings, but
>> normalization for every certificate is done in callback. I will file a
>> ticket for this)
>> * IMO only normalized certificates should be compared in the old
>> certificates detection
>>
> I incorporated your suggested changes in new patch (attached).
>
> There were no proposed changes to the other patchset (0001..0013)
> since rebase.
>
> Thanks,
> Fraser
Thank you,
ACK
Martin^2

More information about the Freeipa-devel mailing list