[Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name
Jan Cholasta
jcholast at redhat.com
Mon Aug 15 12:08:54 UTC 2016
On 19.7.2016 12:05, Jan Cholasta wrote:
> On 19.7.2016 11:54, Fraser Tweedale wrote:
>> On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 15.7.2016 07:05, Fraser Tweedale wrote:
>>>> On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
>>>>> The attached patch is a work in progress for
>>>>> https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
>>>>>
>>>>> I am sharing now to make the approach clear and solicit feedback.
>>>>>
>>>>> It has been tested for server install, replica install (with and
>>>>> without CA) and CA-replica install (all hosts running master+patch).
>>>>>
>>>>> Migration from earlier versions and server/replica/CA install on a
>>>>> CA-less deployment are not yet tested; these will be tested over
>>>>> coming days and patch will be tweaked as necessary.
>>>>>
>>>>> Commit message has a fair bit to say so I won't repeat here but let
>>>>> me know your questions and comments.
>>>>>
>>>>> Thanks,
>>>>> Fraser
>>>>>
>>>> It does help to attach the patch, of course ^_^
>>>
>>> IMO explicit is better than implicit, so instead of introducing
>>> additional
>>> magic around --subject, I would rather add a new separate option for
>>> specifying the CA subject name (I think --ca-subject, for consistency
>>> with
>>> --ca-signing-algorithm).
>>>
>> The current situation - the --subject argument which specifies the
>> not the subject but the subject base, is confusing enough (to say
>> nothing of the limitations that give rise to the RFE).
>>
>> Retaining --subject for specifying the subject base and adding
>> --ca-subject for specifying the *actual* subject DN gets us over the
>> line in terms of the RFE, but does not make the installer less
>> confusing. This is why I made --subject accept the full subject DN,
>> with provisions to retain existing behaviour.
>>
>> IMO if we want to have separate arguments for subject DN and subject
>> base (I am not against it), let's bite the bullet and name arguments
>> accordingly. --subject should be used to specify full Subject DN,
>> --subject-base (or similar) for specifying subject base.
>
> IMHO --ca-subject is better than --subject, because it is more explicit
> whose subject name that is (the CA's). I agree that --subject should be
> deprecated and replaced with --subject-base.
>
>>
>> (I intentionally defer discussion of specific behaviour if one, none
>> or both are specified; let's resolve the question or renaming /
>> changing meaning of arguments first).
>>
>>
>>> By specifying the option you would override the default "CN=Certificate
>>> Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
>>> additional validation would be done to make sure the subject name meets
>>> Dogtag's expectations. Actually, it might make sense to always do the
>>> additional validation, to be able to print a warning that if a
>>> Dogtag-incompatible subject name is used, it won't be possible to
>>> change the
>>> CA cert chaining from externally signed to self-signed later.
>>>
>>> Honza
Bump, any update on this?
--
Jan Cholasta
More information about the Freeipa-devel
mailing list