[Freeipa-devel] [PATCH] [WIP] Allow full customisability of CA subject name

Jan Cholasta jcholast at redhat.com
Tue Jul 19 10:05:21 UTC 2016 

On 19.7.2016 11:54, Fraser Tweedale wrote:
> On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 15.7.2016 07:05, Fraser Tweedale wrote:
>>> On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote:
>>>> The attached patch is a work in progress for
>>>> https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
>>>>
>>>> I am sharing now to make the approach clear and solicit feedback.
>>>>
>>>> It has been tested for server install, replica install (with and
>>>> without CA) and CA-replica install (all hosts running master+patch).
>>>>
>>>> Migration from earlier versions and server/replica/CA install on a
>>>> CA-less deployment are not yet tested; these will be tested over
>>>> coming days and patch will be tweaked as necessary.
>>>>
>>>> Commit message has a fair bit to say so I won't repeat here but let
>>>> me know your questions and comments.
>>>>
>>>> Thanks,
>>>> Fraser
>>>>
>>> It does help to attach the patch, of course ^_^
>>
>> IMO explicit is better than implicit, so instead of introducing additional
>> magic around --subject, I would rather add a new separate option for
>> specifying the CA subject name (I think --ca-subject, for consistency with
>> --ca-signing-algorithm).
>>
> The current situation - the --subject argument which specifies the
> not the subject but the subject base, is confusing enough (to say
> nothing of the limitations that give rise to the RFE).
>
> Retaining --subject for specifying the subject base and adding
> --ca-subject for specifying the *actual* subject DN gets us over the
> line in terms of the RFE, but does not make the installer less
> confusing.  This is why I made --subject accept the full subject DN,
> with provisions to retain existing behaviour.
>
> IMO if we want to have separate arguments for subject DN and subject
> base (I am not against it), let's bite the bullet and name arguments
> accordingly.  --subject should be used to specify full Subject DN,
> --subject-base (or similar) for specifying subject base.

IMHO --ca-subject is better than --subject, because it is more explicit 
whose subject name that is (the CA's). I agree that --subject should be 
deprecated and replaced with --subject-base.

>
> (I intentionally defer discussion of specific behaviour if one, none
> or both are specified; let's resolve the question or renaming /
> changing meaning of arguments first).
>
>
>> By specifying the option you would override the default "CN=Certificate
>> Authority,$SUBJECT_BASE" subject name. If --external-ca was not used,
>> additional validation would be done to make sure the subject name meets
>> Dogtag's expectations. Actually, it might make sense to always do the
>> additional validation, to be able to print a warning that if a
>> Dogtag-incompatible subject name is used, it won't be possible to change the
>> CA cert chaining from externally signed to self-signed later.
>>
>> Honza
>>
>> --
>> Jan Cholasta


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list