[Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

Mon Aug 15 12:54:25 UTC 2016

On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> On 19.7.2016 12:05, Jan Cholasta wrote:
> > On 19.7.2016 11:54, Fraser Tweedale wrote:
> > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
> > > > Hi,
> > > > 
> > > > On 15.7.2016 07:05, Fraser Tweedale wrote:
> > > > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
> > > > > > The attached patch is a work in progress for
> > > > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
> > > > > > 
> > > > > > I am sharing now to make the approach clear and solicit feedback.
> > > > > > 
> > > > > > It has been tested for server install, replica install (with and
> > > > > > without CA) and CA-replica install (all hosts running master+patch).
> > > > > > 
> > > > > > Migration from earlier versions and server/replica/CA install on a
> > > > > > CA-less deployment are not yet tested; these will be tested over
> > > > > > coming days and patch will be tweaked as necessary.
> > > > > > 
> > > > > > Commit message has a fair bit to say so I won't repeat here but let
> > > > > > me know your questions and comments.
> > > > > > 
> > > > > > Thanks,
> > > > > > Fraser
> > > > > > 
> > > > > It does help to attach the patch, of course ^_^
> > > > 
> > > > IMO explicit is better than implicit, so instead of introducing
> > > > additional
> > > > magic around --subject, I would rather add a new separate option for
> > > > specifying the CA subject name (I think --ca-subject, for consistency
> > > > with
> > > > --ca-signing-algorithm).
> > > > 
> > > The current situation - the --subject argument which specifies the
> > > not the subject but the subject base, is confusing enough (to say
> > > nothing of the limitations that give rise to the RFE).
> > > 
> > > Retaining --subject for specifying the subject base and adding
> > > --ca-subject for specifying the *actual* subject DN gets us over the
> > > line in terms of the RFE, but does not make the installer less
> > > confusing.  This is why I made --subject accept the full subject DN,
> > > with provisions to retain existing behaviour.
> > > 
> > > IMO if we want to have separate arguments for subject DN and subject
> > > base (I am not against it), let's bite the bullet and name arguments
> > > accordingly.  --subject should be used to specify full Subject DN,
> > > --subject-base (or similar) for specifying subject base.
> > 
> > IMHO --ca-subject is better than --subject, because it is more explicit
> > whose subject name that is (the CA's). I agree that --subject should be
> > deprecated and replaced with --subject-base.
> > 
> > > 
> > > (I intentionally defer discussion of specific behaviour if one, none
> > > or both are specified; let's resolve the question or renaming /
> > > changing meaning of arguments first).
> > > 
> > > 
> > > > By specifying the option you would override the default "CN=Certificate
> > > > Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
> > > > additional validation would be done to make sure the subject name meets
> > > > Dogtag's expectations. Actually, it might make sense to always do the
> > > > additional validation, to be able to print a warning that if a
> > > > Dogtag-incompatible subject name is used, it won't be possible to
> > > > change the
> > > > CA cert chaining from externally signed to self-signed later.
> > > > 
> > > > Honza
> 
> Bump, any update on this?
> 
I have an updated patch that fixes some issues Sebastian encountered
in testing, but I've not yet tackled the main change requested by
Honza (in brief: adding --ca-subject for specifying that, adding
--subject-base for specifying that, and deprecating --subject;
Sebastian, see discussion above and feel free to give your
thoughts).  I expect I'll get back onto this work within the next
few days.

Thanks,
Fraser