[Freeipa-devel] [PATCH 0014] Support multiple user and host certificates
Martin Basti
mbasti at redhat.com
Wed Jun 3 16:23:20 UTC 2015
On 02/06/15 16:56, Petr Vobornik wrote:
> On 05/27/2015 03:53 PM, Fraser Tweedale wrote:
>> This patch adds supports for multiple user / host certificates. No
>> schema change is needed ('usercertificate' attribute is already
>> multi-value). The revoke-previous-cert behaviour of host-mod and
>> user-mod has been removed but revocation behaviour of -del and
>> -disable is preserved.
>>
>> The latest profiles/caacl patchset (0001..0013 v5) depends on this
>> patch for correct cert-request behaviour.
>>
>> There is one design question (or maybe more, let me know): the
>> `--out=FILENAME' option to {host,service} show saves ONE certificate
>> to the named file. I propose to either:
>>
>> a) write all certs, suffixing suggested filename with either a
>> sequential numerical index, e.g. "cert.pem" becomes
>> "cert.pem.1", "cert.pem.2", and so on; or
>>
>> b) as above, but suffix with serial number and, if there are
>> different issues, some issuer-identifying information.
>>
>> Let me know your thoughts.
>>
>> Thanks,
>> Fraser
>>
>
> Has anybody tried it with Web UI?
>
> Currently Web UI is designed only for one cert. I wonder if it still
> works even with just one.
>
> We should probably file a ticket.
If there are 2 certificates in a host entry, then the WebUI just shows:
Status
Valid Certificate Present
Then 'view certificate' shows the second certificate
the 'Get certificate' shows the first certificate
I will file a ticket.
Martin^2
--
Martin Basti
More information about the Freeipa-devel
mailing list