[Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

Fri Aug 19 10:09:33 UTC 2016

On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote:
> On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> > On 19.7.2016 12:05, Jan Cholasta wrote:
> > > On 19.7.2016 11:54, Fraser Tweedale wrote:
> > > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
> > > > > Hi,
> > > > > 
> > > > > On 15.7.2016 07:05, Fraser Tweedale wrote:
> > > > > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
> > > > > > > The attached patch is a work in progress for
> > > > > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
> > > > > > > 
> > > > > > > I am sharing now to make the approach clear and solicit feedback.
> > > > > > > 
> > > > > > > It has been tested for server install, replica install (with and
> > > > > > > without CA) and CA-replica install (all hosts running master+patch).
> > > > > > > 
> > > > > > > Migration from earlier versions and server/replica/CA install on a
> > > > > > > CA-less deployment are not yet tested; these will be tested over
> > > > > > > coming days and patch will be tweaked as necessary.
> > > > > > > 
> > > > > > > Commit message has a fair bit to say so I won't repeat here but let
> > > > > > > me know your questions and comments.
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > Fraser
> > > > > > > 
> > > > > > It does help to attach the patch, of course ^_^
> > > > > 
> > > > > IMO explicit is better than implicit, so instead of introducing
> > > > > additional
> > > > > magic around --subject, I would rather add a new separate option for
> > > > > specifying the CA subject name (I think --ca-subject, for consistency
> > > > > with
> > > > > --ca-signing-algorithm).
> > > > > 
> > > > The current situation - the --subject argument which specifies the
> > > > not the subject but the subject base, is confusing enough (to say
> > > > nothing of the limitations that give rise to the RFE).
> > > > 
> > > > Retaining --subject for specifying the subject base and adding
> > > > --ca-subject for specifying the *actual* subject DN gets us over the
> > > > line in terms of the RFE, but does not make the installer less
> > > > confusing.  This is why I made --subject accept the full subject DN,
> > > > with provisions to retain existing behaviour.
> > > > 
> > > > IMO if we want to have separate arguments for subject DN and subject
> > > > base (I am not against it), let's bite the bullet and name arguments
> > > > accordingly.  --subject should be used to specify full Subject DN,
> > > > --subject-base (or similar) for specifying subject base.
> > > 
> > > IMHO --ca-subject is better than --subject, because it is more explicit
> > > whose subject name that is (the CA's). I agree that --subject should be
> > > deprecated and replaced with --subject-base.
> > > 
> > > > 
> > > > (I intentionally defer discussion of specific behaviour if one, none
> > > > or both are specified; let's resolve the question or renaming /
> > > > changing meaning of arguments first).
> > > > 
> > > > 
> > > > > By specifying the option you would override the default "CN=Certificate
> > > > > Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
> > > > > additional validation would be done to make sure the subject name meets
> > > > > Dogtag's expectations. Actually, it might make sense to always do the
> > > > > additional validation, to be able to print a warning that if a
> > > > > Dogtag-incompatible subject name is used, it won't be possible to
> > > > > change the
> > > > > CA cert chaining from externally signed to self-signed later.
> > > > > 
> > > > > Honza
> > 
> > Bump, any update on this?
> > 
> I have an updated patch that fixes some issues Sebastian encountered
> in testing, but I've not yet tackled the main change requested by
> Honza (in brief: adding --ca-subject for specifying that, adding
> --subject-base for specifying that, and deprecating --subject;
> Sebastian, see discussion above and feel free to give your
> thoughts).  I expect I'll get back onto this work within the next
> few days.
> 
Update: I've got an updated version of patch almost ready for
review, but I'm still ironing out some wrinkles in replica
installation.

Expect to be able to send it Monday or Tuesday for review.

Thanks,
Fraser