[Freeipa-devel] Is CA certificate storage correct?
Martin Kosek
mkosek at redhat.com
Fri May 23 14:36:22 UTC 2014
On 05/20/2014 11:16 AM, Jan Cholasta wrote:
> On 20.5.2014 08:28, Martin Kosek wrote:
>> Hi there,
>>
>> I checked the update CA Certificate renewal feature design page and one part
>> seemed awkward to me:
>>
>> http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
>>
>> IIUC, when there are multiple iterations of a certificate stored, there will be
>> one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
>> attributes, ipaKeyTrust, ...
>>
>> Given that LDAP does not guarantee order, how do I identify which cACertificate
>> belongs to which attribute?
>
> There is no such relation, ipaKey* attributes apply to all of the cACertificate
> attributes.
>
>>
>> If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
>> returned, how do I find out which certificate it is? Do I need to go through
>> all binary blobs, parse them and look which blob matches?
>
> No.
Could you then please state some example in
http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
with more than one cACertificate;binary? I think it would greatly help
understand the relation of the new schema attributes and cACertificate. As you
can see, it may be pretty confusing.
Martin
More information about the Freeipa-devel
mailing list