[Freeipa-devel] [WIP] Automatic CSR generation - first steps
Ben Lipton
blipton at redhat.com
Mon Jun 27 17:44:34 UTC 2016
My email client is playing tricks on me -
https://github.com/LiptonB/freeipa/pull/2 is the correct link.
On 06/27/2016 01:14 PM, Ben Lipton wrote:
> Hi,
>
> I have implemented the core functionality of the automatic CSR
> generation design
> (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation).
> The code (which should be considered a work in progress) is available
> at https://github.com/LiptonB/freeipa/pull/2, please take a look and
> let me know what you think!
>
> First, a demo, then some notes:
>
> [root at ipavm ~]# ipa cert-get-requestdata --principal
> host/hostname.ipadom.example.com --format openssl
> Debug output: [req]
> prompt = no
> distinguished_name = sec0
> req_extensions = exts
>
> [sec0]
> CN=hostname.ipadom.example.com
> O=IPADOM.EXAMPLE.COM
>
> [sec1]
> DNS=hostname.ipadom.example.com
>
> [exts]
> subjectAltName=@sec1
>
>
> [root at ipavm ~]# ipa cert-get-requestdata --principal
> host/hostname.ipadom.example.com --format certutil
> Debug output: certutil -R -s
> CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN
> dns:hostname.ipadom.example.com
>
>
> Notes:
> - This is implemented using the four-level schema
> (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A).
> I'm very interested in comments on improving the schema or the way I
> interact with it in the code.
> - Only includes rules for one profile at the moment, and it's probably
> not one you'd use (it weirdly puts the FQDN in both Subject and
> SubjectAltName). Think of it as an example to show that extensions are
> supported.
> - Right now, transformation rules are implemented in python. Migrating
> them to a scheme where rules are text-based and can be added at
> runtime is a future goal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160627/28ce0f77/attachment.htm>
More information about the Freeipa-devel
mailing list