[Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install

Sebastian Hetze shetze at redhat.com
Thu Jul 7 14:10:51 UTC 2016 


On 07/07/2016 03:16 PM, Rob Crittenden wrote:
> Sebastian Hetze wrote:
>> Hi *
>>
>> attached you find a patch that adds new options --subject_cn and
>> --subject_mail to ipa-server-install that make the CA cert subject CN
>> customizable.
>>
>> This patch has been tested by a customer in a PoC.
>> However, i assume additional testing in different environments is
>> required.
>>
>> It would be greatly appreciated if this patch would find its way into
>> the product very soon.
>
> I don't see the advantage of passing around the subject_rdn along with
> the base. Why not pre-combine them into a DN?
Think of the subject_rdn as given name for the CA cert and the
subject_base as family name for all subsequent service certs that IPA
automatically generates and signs. While the given names for the
generated service certs may stay hard coded, only the given name for the
CA cert needs to be customizable as requested in the RFE.
Look into the source and you will see that subject_base is used all over
the place and subject_rdn (as replacement for the hard coded
"CN=Certificate Authority") only related to the CA cert. They need to be
kept separate.

>
>
> Similarly, I think I'd drop storing the subject base and RDN and just
> store just the DN. I don't think there would be any backwards compat
> issues as this would only apply to new installs.
>
> I think this would explode the number of options as users request
> additional attributes for the subject (OU, C, etc). Might be better to
> make the user pass in a full DN if they want to manage the CA subject.
> I don't know if any validation would be required for dogtag (e.g. is
> there a minimum set of components needed?)
CN is mandatory and only emailAddress is a commonly used option for the
"given name" subject_rdn. OU, C and alike belong to the subject_base.
>
> rob

Beste Grüße / Best regards
  Sebastian Hetze
-- 
Senior Solution Architect
Red Hat GmbH. Niederlassung Berlin
Am Treptower Park 75 12435 Berlin
Tel: +49 30 678 1798-241 . Mobil: +49 173 8914205
Fax: +49 30 678 1798-111 . E-Mail: she at redhat.com

More information about the Freeipa-devel mailing list