[Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install
Fraser Tweedale
ftweedal at redhat.com
Mon Jul 11 00:22:52 UTC 2016
On Fri, Jul 08, 2016 at 01:54:33PM +0200, Sebastian Hetze wrote:
> On 07/08/2016 12:57 PM, Sebastian Hetze wrote:
> >
> >
> > With your proposal, a subject would look like this:
> > Subject: CN=Custom CA Name,E=caadmin at example.com,OU=Example IT,O=Example
> > Corp,L=City,ST=State,C=US
> >
I was not proposing that the DN contain all those components; merely
that particular components, if present, would be extract to form the
subject base. In the case of --external-ca, the argument to
--subject would be used as-is in the CSR.
> > I will check with my customer if this can possibly be signed by the AD
> > PKI, and if that works what the ordering looks like after signing.
> As I expected, the AD PKI brings the whole subject line into canonical
> order, resulting in that subject:
>
> Subject: E=caadmin at example.com,CN=Custom CA Name,OU=Example IT,O=Example
> Corp,L=City,ST=State,C=US
>
> Since the ipa-server-install requires the subject of the signed cert to
> match exactly the subject from the CSR, we need to construct the subject
> line exactly as I do in my proposed patch.
>
> And, as I said, the patch works with freeipa-4.2.0 as shipped with RHEL-7.2
>
It may work fine, but I feel it is not the best approach to add new
arguments extra arguments.
Your preliminary work and knowledge of the case are valuable. I
will implement the single --subject argument approach and we can
check that it meets the requirements.
Thanks,
Fraser
>
> Beste Grüße / Best regards
> Sebastian Hetze
> --
> Senior Solution Architect
> Red Hat GmbH. Niederlassung Berlin
> Am Treptower Park 75 12435 Berlin
> Tel: +49 30 678 1798-241 . Mobil: +49 173 8914205
> Fax: +49 30 678 1798-111 . E-Mail: she at redhat.com
>
More information about the Freeipa-devel
mailing list