[Freeipa-devel] [WIP] Automatic CSR generation - first steps
Ben Lipton
blipton at redhat.com
Wed Jul 6 16:13:22 UTC 2016
I have added a few new features to the code, including:
- A new certificate profile for user certs
- Import and export of included mapping rules when certificate profiles
are imported/exported
The updated patches are at
https://github.com/LiptonB/freeipa/pull/2/commits.
I look forward to hearing your thoughts, either in the pull request or
here on the mailing list.
Thanks,
Ben
On 06/27/2016 01:44 PM, Ben Lipton wrote:
>
> My email client is playing tricks on me -
> https://github.com/LiptonB/freeipa/pull/2 is the correct link.
>
>
> On 06/27/2016 01:14 PM, Ben Lipton wrote:
>> Hi,
>>
>> I have implemented the core functionality of the automatic CSR
>> generation design
>> (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation).
>> The code (which should be considered a work in progress) is available
>> at https://github.com/LiptonB/freeipa/pull/2, please take a look and
>> let me know what you think!
>>
>> First, a demo, then some notes:
>>
>> [root at ipavm ~]# ipa cert-get-requestdata --principal
>> host/hostname.ipadom.example.com --format openssl
>> Debug output: [req]
>> prompt = no
>> distinguished_name = sec0
>> req_extensions = exts
>>
>> [sec0]
>> CN=hostname.ipadom.example.com
>> O=IPADOM.EXAMPLE.COM
>>
>> [sec1]
>> DNS=hostname.ipadom.example.com
>>
>> [exts]
>> subjectAltName=@sec1
>>
>>
>> [root at ipavm ~]# ipa cert-get-requestdata --principal
>> host/hostname.ipadom.example.com --format certutil
>> Debug output: certutil -R -s
>> CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN
>> dns:hostname.ipadom.example.com
>>
>>
>> Notes:
>> - This is implemented using the four-level schema
>> (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A).
>> I'm very interested in comments on improving the schema or the way I
>> interact with it in the code.
>> - Only includes rules for one profile at the moment, and it's
>> probably not one you'd use (it weirdly puts the FQDN in both Subject
>> and SubjectAltName). Think of it as an example to show that
>> extensions are supported.
>> - Right now, transformation rules are implemented in python.
>> Migrating them to a scheme where rules are text-based and can be
>> added at runtime is a future goal.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160706/9dab1126/attachment.htm>
More information about the Freeipa-devel
mailing list