[Freeipa-devel] Re: Certificate enrollment, principal names

Dmitri Pal dpal at redhat.com
Thu Nov 5 15:39:00 UTC 2009 

Nalin Dahyabhai wrote:
> On Wed, Nov 04, 2009 at 09:44:09PM -0800, Andrew Wnuk wrote:
>   
>> Passing entire CSR as a parameter to ipa command could avoided if
>> XML-RPC framework would provide pre and post processing callbacks on
>> the client side. Parameters could be used to describe CSR (instead of
>> passing entire CSR), pre-processing callback could generate CSR based
>> on provided description, then XML-RPC call could submit generated CSR
>> and finally post-processing callback could properly place obtained
>> certificate.
>>     
>
> The CSR is usually signed with the client's key, so we can't generate it
> at the server (unless we're doing server-side key generation, which I
> don't think we're doing yet).
>
>   
This is not what Andrew was saying.
As far as I understand the CSR is a blob of signed information that
client sends to server
to get a certificate. The CSR needs to be created somehow. I do not know
how it is created
but it seems that there are two steps:
* create CSR
* pass CSR to the command

Andrew suggested to do it in one step (and I agree with him).
However we have two different use cases:
* Admin wants to create a cert - in this case our standard CLI is called
(and the discussion about hooks
is related to this part)
*  Certmonger asks for cert -in this case it does not use our standard
XML-RPC framework but rather
prepares the request itself and sends it over XML-RPC

So how do we do or plan to do it in each of the two use cases?
It seems that the most user friendly approach would be to ask user for
arguments,
using these arguments generate CSR on the client and then pass it to the
server.
In both cases it should be done in one step by invoking other tools and
utils (if any)
needed to prepare CSR from within the command.

And I correct?

> We could pass a public key by itself with other bits of info alongside,
> but then you lose the signing of it.  In the general case, you really
> want the client-supplied data to be signed if the approval process is
> going to use any of it.
>
> Besides, CSRs are just how this stuff's done, and the reformatting at
> the client end can be done with an awk script.  I don't want to add more
> work for ourselves by trying to change that part of it.
>
> Cheers,
>
> Nalin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list