[Freeipa-devel] [WIP] Automatic CSR generation - first steps

[Ben Lipton]

My email client is playing tricks on me - 
https://github.com/LiptonB/freeipa/pull/2 is the correct link.


On 06/27/2016 01:14 PM, Ben Lipton wrote:
> Hi,
>
> I have implemented the core functionality of the automatic CSR 
> generation design 
> (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation). 
> The code (which should be considered a work in progress) is available 
> at https://github.com/LiptonB/freeipa/pull/2, please take a look and 
> let me know what you think!
>
> First, a demo, then some notes:
>
> [root at ipavm ~]# ipa cert-get-requestdata --principal 
> host/hostname.ipadom.example.com --format openssl
>     Debug output: [req]
> prompt = no
> distinguished_name = sec0
> req_extensions = exts
>
> [sec0]
> CN=hostname.ipadom.example.com
> O=IPADOM.EXAMPLE.COM
>
> [sec1]
> DNS=hostname.ipadom.example.com
>
> [exts]
> subjectAltName=@sec1
>
>
> [root at ipavm ~]# ipa cert-get-requestdata --principal 
> host/hostname.ipadom.example.com --format certutil
>     Debug output: certutil -R -s 
> CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN 
> dns:hostname.ipadom.example.com
>
>
> Notes:
> - This is implemented using the four-level schema 
> (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A). 
> I'm very interested in comments on improving the schema or the way I 
> interact with it in the code.
> - Only includes rules for one profile at the moment, and it's probably 
> not one you'd use (it weirdly puts the FQDN in both Subject and 
> SubjectAltName). Think of it as an example to show that extensions are 
> supported.
> - Right now, transformation rules are implemented in python. Migrating 
> them to a scheme where rules are text-based and can be added at 
> runtime is a future goal.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160627/28ce0f77/attachment.htm>