[Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

Petr Spacek pspacek at redhat.com
Fri Jul 29 13:39:06 UTC 2016 

On 27.7.2016 19:06, Ben Lipton wrote:
> Hi all,
> 
> I think the automatic CSR generation feature
> (https://fedorahosted.org/freeipa/ticket/4899,
> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation) is
> stable enough to review now. The following are summaries of the attached patches:
> 0004: LDAP schema changes for the new feature
> 0005: Basic API for new objects and CSR generation
> 0006: Update install automation to create some default mapping rules
> 0007: Implement the lookups and text processing that generates the CSR config
> 0008 and 0009: Implement some actual transformation rules so that the feature
> is usable
> 0010: Add a new cert profile for user certs, with mappings
> 0011: Implement import/export of cert profiles with mappings
> 0012: Tests for profile import/export
> 
> Generally speaking, later patches depend on earlier ones, but I don't
> anticipate any problems from committing earlier patches without later ones.
> 
> If you prefer, you can also comment on the pull request version:
> https://github.com/LiptonB/freeipa/pull/4. Note that I may force push on this
> branch.
> 
> Allocation of OIDs for schema change also needs review:
> https://code.engineering.redhat.com/gerrit/#/c/80061/
> 
> Known issues:
> - When the requested principal does not have some of the requested data,
> produces funny-looking configs with extra commas, empty sections, etc. They
> are still accepted by my copies of openssl and certutil, but they look ugly.
> - The new objects don't have any ACIs, so for the moment only admin can run
> the new commands.
> - Does not yet have support for prompting user for field values, so currently
> all data must come from the database.
> - All processing happens on the server side. As discussed in a previous
> thread, it would be desirable to break this out into a library so it could be
> used client-side.
> 
> Very excited to hear your thoughts!

Hi Ben,

I wanted to give it a try from user's point of view first, before diving into
implementation details. Here are some observations:

0. Design pages are using term "helper" and it is used even as option in the
example with smartcards. Please fix either design page or the code so they are
consistent.

1. The "ipa cert-request" command is missing options --autofill and --use (aka
helper aka format :-) which are mentioned in the design pages.

2. "ipa cert_get_requestdata" command passes even without --profile-id and
generates empty config. I think that this is not expected :-)

3. "ipa cert_get_requestdata --format=openssl" prints the text to stdout
including label "Configuration file contents:". This is hard to use because
simple redirection like "ipa cert_get_requestdata --format=openssl > config"
will not give you valid OpenSSL config file - it needs hand-editing.

It would be good to add --out parameter you envisioned in the design page.
Please ask jcholast for proper name and semantics :-) With --out option the
command can be used to generate valid config (or script if certutil was selected).

4. "ipa cert_get_requestdata --format=openssl" could print hint what OpenSSL
command should be executed on the generated config file. For testing I've used
command "openssl req -new -out csr -text -config config" (stolen and modified
from smart card example). Also, as a second hint, it could print the IPA
command which needs to be used to sign the CSR generated by the helper.

5. My naive attempt to get userCert for admin failed:
$ ipa cert_get_requestdata --format=openssl --principal=admin
--profile-id=userCert > usercert.conf
# remove the trailing label
$ openssl req -new -out csr -text -config usercert.conf
$ ipa cert-request --principal=admin --profile-id=userCert usercert.csr
ipa: ERROR: invalid 'csr': No Common Name was found in subject of request.

I'm attaching files generated by the commands above. I did not modify anything
in the templates or profiles, just tried to use the new profile added by
freeipa-blipton-0010-Add-a-new-cert-profile-for-users.patch .

Hopefully I will get to other things soon (but not this week).


Anyway, all this seems like (expected) initial problems. In general the first
touch with user interface seems reasonable and needs only small improvements.

Good work!

-- 
Petr^2 Spacek
-------------- next part --------------
[ req ]
prompt = no
encrypt_key = no

distinguished_name = sec0

[ sec0 ]
O=DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
UID=admin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: usercert.csr
Type: application/pkcs10
Size: 3435 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160729/56d036f0/attachment.p10>

More information about the Freeipa-devel mailing list