[Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

Martin Kosek mkosek at redhat.com
Thu May 28 08:46:52 UTC 2015 

On 05/27/2015 06:12 PM, Martin Basti wrote:
> On 27/05/15 15:53, Fraser Tweedale wrote:
>> This patch adds supports for multiple user / host certificates.  No
>> schema change is needed ('usercertificate' attribute is already
>> multi-value).  The revoke-previous-cert behaviour of host-mod and
>> user-mod has been removed but revocation behaviour of -del and
>> -disable is preserved.
>>
>> The latest profiles/caacl patchset (0001..0013 v5) depends on this
>> patch for correct cert-request behaviour.
>>
>> There is one design question (or maybe more, let me know): the
>> `--out=FILENAME' option to {host,service} show saves ONE certificate
>> to the named file.  I propose to either:
>>
>> a) write all certs, suffixing suggested filename with either a
>>     sequential numerical index, e.g. "cert.pem" becomes
>>     "cert.pem.1", "cert.pem.2", and so on; or
>>
>> b) as above, but suffix with serial number and, if there are
>>     different issues, some issuer-identifying information.
>>
>> Let me know your thoughts.
>>
>> Thanks,
>> Fraser
>>
>>
> Is there a possible way how to store certificates into one file?
> I read about possibilities to have multiple certs in one .pem file, but I'm not
> cert guru :)
> 
> I personally vote for serial number in case there are multiple certificates, if
> ^ is no possible.
> 
> 
> 1)
> +            if len(certs) > 0:
> 
> please use only,
> if certs:
> 
> 2)
> You need to re-generate API/ACI.txt in this patch
> 
> 3)
> syntax error:
> +        for dercert in certs_der
> 
> 
> 4)
> command
> ipa user-mod ca_user --certificate=<ceritifcate>
> 
> removes the current certificate from the LDAP, by design.
> Should be the old certificate(s) revoked? You removed that part in the code.

Good question. I think the suggestion was to have a global switch in IPA global
config that would configure the policy - whether the certificates removed by
this command or by host-del or host-disable are revoked or if they are just
removed (my motivation is to avoid behavior regression in case somebody
depended on this behavior).

> 
> only the --addattr='usercertificate=<cert>' appends new value there
> 
> 
>

More information about the Freeipa-devel mailing list