[Freeipa-devel] [PATCH] 0086 Add --ca option to cert-status

Fri Jul 1 12:30:31 UTC 2016

On Fri, Jul 01, 2016 at 10:05:48AM +0200, Jan Cholasta wrote:
> On 1.7.2016 08:57, Jan Cholasta wrote:
> > On 1.7.2016 06:54, Jan Cholasta wrote:
> > > On 1.7.2016 06:47, Fraser Tweedale wrote:
> > > > On Fri, Jul 01, 2016 at 05:55:35AM +0200, Jan Cholasta wrote:
> > > > > On 29.6.2016 12:18, Jan Cholasta wrote:
> > > > > > On 29.6.2016 10:47, Fraser Tweedale wrote:
> > > > > > > On Wed, Jun 29, 2016 at 10:04:05AM +0200, Jan Cholasta wrote:
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > On 29.6.2016 06:11, Fraser Tweedale wrote:
> > > > > > > > > Dear team,
> > > > > > > > > 
> > > > > > > > > The attached patch implements the --ca option for the rest of the
> > > > > > > > > cert-blah commands (https://fedorahosted.org/freeipa/ticket/5999).
> > > > > > > > 
> > > > > > > > 1) I don't think cert-status should be treated specially. The
> > > > > > > > operation to
> > > > > > > > check status of a certificate request is not specific to Dogtag.
> > > > > > > > 
> > > > > > > I'm happy to add the option, with the caveat that because (of top of
> > > > > > > head) there is not (yet) a way in Dogtag to distinguish/filter
> > > > > > > requests by target CA, value may go unused.
> > > > > > 
> > > > > > IMO that's OK, since it's a safe non-descructive operation.
> > > > > > 
> > > > > > > 
> > > > > > > > 
> > > > > > > > 2) cert-show is called twice in cert-revoke. Can we call it just
> > > > > > > > once?
> > > > > > > > 
> > > > > > > I'll address this in next patchset.
> > > > > > 
> > > > > > OK.
> > > > > 
> > > > > ACK on the first version of the patch, since it's better than
> > > > > nothing. The
> > > > > ticket remains open, please fix the rest ASAP.
> > > > > 
> > > > > Added VERSION bump and pushed to master:
> > > > > ffb1f5b1f24f0de30529d50f8c8dfb9a896c149e
> > > > > 
> > > > > Honza
> > > > > 
> > > > New patch 0086 attached, adding the option to cert-status command.
> > > 
> > > Thanks. We could at least check if the specified CA exists, couldn't we?
> > 
> > To speed things up, I have updated your patch with this, see the
> > attachment.
> > 
> > If the change looks good to you, we can push the patch.
> 
> Your original patch works for me, ACK. My change can be pushed under the
> one-liner rule, so pushing them combined in the modified patch.
> 
> Pushed to master: 4844eaec197690e21c6cf44743df7f456d0e185d
> 
Jan, thanks for pushing that along.  My WIP was much the same, but I
got bitten by stale API schema on client side and it did not know
about the --ca option.  I revisited it tonight, but by then you had
pushed the commit :)

Cheers,
Fraser