[Freeipa-devel] [PATCH] 304 hosts requesting certificates
Rob Crittenden
rcritten at redhat.com
Wed Oct 28 21:41:14 UTC 2009
I had originally implemented allowing a host to request certificates for
other hosts using the requesting IP address. That was a pretty lousy way
to do it.
This patch uses the DS ACI system instead. We came up with a clever ACI
that lets hosts listed in the managedBy attribute in the service modify
the userCertificate attribute. So you can use this to delegate which
hosts can request certificates for which services, even for other machines.
I also re-ordered the request_certificate() method a bit. We want all
the service work done before we do the certificate request. It was
previously adding the service after the cert request was done. This
could mean a failed request if the requestor isn't allowed to add
services. But it is also too late because the cert had already been issued.
I documented how this works a bit at
http://www.freeipa.org/page/Certificate_Authority
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-304-cert.patch
Type: application/mbox
Size: 12393 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091028/e64e3966/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091028/e64e3966/attachment.bin>
More information about the Freeipa-devel
mailing list