[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)
HonzaCholasta
freeipa-github-notification at redhat.com
Tue Jan 24 08:35:16 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)
HonzaCholasta commented:
"""
@LiptonB, I think certificate profiles and CSR generation profiles / templates *should* be associated, but not by sharing the same logical `certprofile` object, as it creates an unwarranted dependency on Dogtag. Instead CSR templates should be represented by their own dedicated objects separate from `certprofile` objects, which can contain a reference to the default CSR template object. This way it will be possible to extend `cert-request` as you described, but it will also be possible to generate a CSR and submit it to an external CA, even in CA-less IPA deployment.
As for `userCert`, removing just the dogtag profile but keeping the CSR template is exactly what I meant.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-274740750
More information about the Freeipa-devel
mailing list