[Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs

Pavel Vomacka pvomacka at redhat.com
Wed Jun 8 11:21:30 UTC 2016 


On 06/08/2016 05:15 AM, Fraser Tweedale wrote:
> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote:
>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote:
>>> Hi team,
>>>
>>> This patchset implements the 'ca' plugin for creating and managing
>>> lightweight sub-CAs, and updates the 'caacl' plugin and
>>> 'cert-request' command to support multiple CAs.
>>>
>>> A brief overview of the patches:
>>>
>>> 0059
>>>    'ca' plugin, associated schema changes and container objects,
>>>    Dogtag REST API wrapper
>>> 0060
>>>    Add CA entry for the IPA CA on install/upgrade
>>> 0061
>>>    Update 'caacl' plugin with CA support (including enforcement)
>>> 0062
>>>    Update ra.request_certificate() to support specifying target CA
>>> 0063
>>>    Add '--ca' option to 'cert-request' command
>>> 0064
>>>    Add '--issuer' option to 'cert-find' command
>>>
>>> These patches depend on other pending patches:
>>>
>>>      0051, 0052, 0053, 0054, 0055, 0056
>>>
>>> Signing key replication depends on unmerged Dogtag patches.  Builds
>>> of Dogtag with the required patches, and of FreeIPA with all
>>> completed sub-CAs work, should be available from my COPR soon:
>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/
>>>
>>> Some parts of the design are not implemented in the current
>>> patchset, including:
>>>
>>> - local parent CA (ipaca object) references
>>> - sub-CA certificate renewal
>>> - 'cert-show' command '--ca=NAME' option
>>> - certmonger support for specifying CA
>>> - revocation of deleted CAs
>>>
>>> I look forward to your reviews!
>>>
>>> Thanks,
>>> Fraser
>>>
>> Rebased and updated patches attached.
>>
>> Substantive changes:
>>
>> - add required attributes for issuer DN and subject DN
>> - prevent rename of IPA CA
>> - when adding IPA CA entry, contact Dogtag to learn authority id,
>>    issuer DN and subject DN
>> - add 'read_ca' method to Dogtag interface
>> - tighten ACIs to prevent modification of ipacaid attribute
>>
> Updated patch 0064-3; adds --issuer option to cert-show and --ca
> option to cert-show and cert-find.
>
>
Hello,

why is there --rename option in ca-mod command? Shouldn't it be rather 
--cn to be consistent with ca-show? Is there any reason why to have 
there rename? Just a note: I look at it mainly from point of view of WebUI.

--
Pavel^3 Vomacka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160608/aefa0ead/attachment.htm>

More information about the Freeipa-devel mailing list