[Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

Martin Basti mbasti at redhat.com
Thu May 28 09:17:17 UTC 2015 

On 28/05/15 10:46, Martin Kosek wrote:
> On 05/27/2015 06:12 PM, Martin Basti wrote:
>> On 27/05/15 15:53, Fraser Tweedale wrote:
>>> This patch adds supports for multiple user / host certificates.  No
>>> schema change is needed ('usercertificate' attribute is already
>>> multi-value).  The revoke-previous-cert behaviour of host-mod and
>>> user-mod has been removed but revocation behaviour of -del and
>>> -disable is preserved.
>>>
>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this
>>> patch for correct cert-request behaviour.
>>>
>>> There is one design question (or maybe more, let me know): the
>>> `--out=FILENAME' option to {host,service} show saves ONE certificate
>>> to the named file.  I propose to either:
>>>
>>> a) write all certs, suffixing suggested filename with either a
>>>      sequential numerical index, e.g. "cert.pem" becomes
>>>      "cert.pem.1", "cert.pem.2", and so on; or
>>>
>>> b) as above, but suffix with serial number and, if there are
>>>      different issues, some issuer-identifying information.
>>>
>>> Let me know your thoughts.
>>>
>>> Thanks,
>>> Fraser
>>>
>>>
>> Is there a possible way how to store certificates into one file?
>> I read about possibilities to have multiple certs in one .pem file, but I'm not
>> cert guru :)
>>
>> I personally vote for serial number in case there are multiple certificates, if
>> ^ is no possible.
>>
>>
>> 1)
>> +            if len(certs) > 0:
>>
>> please use only,
>> if certs:
>>
>> 2)
>> You need to re-generate API/ACI.txt in this patch
>>
>> 3)
>> syntax error:
>> +        for dercert in certs_der
>>
>>
>> 4)
>> command
>> ipa user-mod ca_user --certificate=<ceritifcate>
>>
>> removes the current certificate from the LDAP, by design.
>> Should be the old certificate(s) revoked? You removed that part in the code.
> Good question. I think the suggestion was to have a global switch in IPA global
> config that would configure the policy - whether the certificates removed by
> this command or by host-del or host-disable are revoked or if they are just
> removed (my motivation is to avoid behavior regression in case somebody
> depended on this behavior).
I would prefer to keep the current behavior: revoke the certificate if 
it was replaced or removed, instead of adding an extra configuration option.
This behavior is not regression.
>> only the --addattr='usercertificate=<cert>' appends new value there
>>
>>
>>


-- 
Martin Basti

More information about the Freeipa-devel mailing list