[Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs

Wed Jun 8 11:45:55 UTC 2016

On 8.6.2016 13:37, Pavel Vomacka wrote:
>
>
> On 06/08/2016 01:21 PM, Pavel Vomacka wrote:
>>
>>
>>
>> On 06/08/2016 05:15 AM, Fraser Tweedale wrote:
>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote:
>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote:
>>>>> Hi team,
>>>>>
>>>>> This patchset implements the 'ca' plugin for creating and managing
>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and
>>>>> 'cert-request' command to support multiple CAs.
>>>>>
>>>>> A brief overview of the patches:
>>>>>
>>>>> 0059
>>>>>   'ca' plugin, associated schema changes and container objects,
>>>>>   Dogtag REST API wrapper
>>>>> 0060
>>>>>   Add CA entry for the IPA CA on install/upgrade
>>>>> 0061
>>>>>   Update 'caacl' plugin with CA support (including enforcement)
>>>>> 0062
>>>>>   Update ra.request_certificate() to support specifying target CA
>>>>> 0063
>>>>>   Add '--ca' option to 'cert-request' command
>>>>> 0064
>>>>>   Add '--issuer' option to 'cert-find' command
>>>>>
>>>>> These patches depend on other pending patches:
>>>>>
>>>>>     0051, 0052, 0053, 0054, 0055, 0056
>>>>>
>>>>> Signing key replication depends on unmerged Dogtag patches.  Builds
>>>>> of Dogtag with the required patches, and of FreeIPA with all
>>>>> completed sub-CAs work, should be available from my COPR soon:
>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/
>>>>>
>>>>> Some parts of the design are not implemented in the current
>>>>> patchset, including:
>>>>>
>>>>> - local parent CA (ipaca object) references
>>>>> - sub-CA certificate renewal
>>>>> - 'cert-show' command '--ca=NAME' option
>>>>> - certmonger support for specifying CA
>>>>> - revocation of deleted CAs
>>>>>
>>>>> I look forward to your reviews!
>>>>>
>>>>> Thanks,
>>>>> Fraser
>>>>>
>>>> Rebased and updated patches attached.
>>>>
>>>> Substantive changes:
>>>>
>>>> - add required attributes for issuer DN and subject DN
>>>> - prevent rename of IPA CA
>>>> - when adding IPA CA entry, contact Dogtag to learn authority id,
>>>>   issuer DN and subject DN
>>>> - add 'read_ca' method to Dogtag interface
>>>> - tighten ACIs to prevent modification of ipacaid attribute
>>>>
>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca
>>> option to cert-show and cert-find.
>>>
>>>
>> Hello,
>>
>> why is there --rename option in ca-mod command? Shouldn't it be rather
>> --cn to be consistent with ca-show?
> Actually, I meant to be consistent with attribute name in result of API
> call of ca-show command.
>> Is there any reason why to have there rename? Just a note: I look at
>> it mainly from point of view of WebUI.

It is consistent with other mod commands, they all have --rename if the 
object is renameable. You can't use the primary key name (cn) because 
that's already taken by the positional argument of the show command.

-- 
Jan Cholasta