[Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install
Rob Crittenden
rcritten at redhat.com
Thu Jul 7 13:16:12 UTC 2016
Sebastian Hetze wrote:
> Hi *
>
> attached you find a patch that adds new options --subject_cn and
> --subject_mail to ipa-server-install that make the CA cert subject CN
> customizable.
>
> This patch has been tested by a customer in a PoC.
> However, i assume additional testing in different environments is required.
>
> It would be greatly appreciated if this patch would find its way into
> the product very soon.
I don't see the advantage of passing around the subject_rdn along with
the base. Why not pre-combine them into a DN?
Similarly, I think I'd drop storing the subject base and RDN and just
store just the DN. I don't think there would be any backwards compat
issues as this would only apply to new installs.
I think this would explode the number of options as users request
additional attributes for the subject (OU, C, etc). Might be better to
make the user pass in a full DN if they want to manage the CA subject. I
don't know if any validation would be required for dogtag (e.g. is there
a minimum set of components needed?)
rob
More information about the Freeipa-devel
mailing list