[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Jan Cholasta
jcholast at redhat.com
Wed Jul 20 08:20:52 UTC 2016
Hi,
On 17.6.2016 00:06, Ben Lipton wrote:
> On 06/14/2016 08:27 AM, Ben Lipton wrote:
>> Hello all,
>>
>> I have written up a design proposal for making certificate requests
>> easier to generate when using alternate certificate profiles:
>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation.
>> The use case for this is described in
>> https://fedorahosted.org/freeipa/ticket/4899. I will be working on
>> implementing this design over the next couple of months. If you have
>> the time and interest, please take a look and share any comments or
>> concerns that you have.
>>
>> Thanks!
>>
>> Ben
>>
> Just a quick update to say that I've created a new document that covers
> the proposed schema additions in a more descriptive way (with diagrams!)
> I'm very new to developing with LDAP, so some more experienced eyes on
> the proposal would be very helpful, even if you don't have time to
> absorb the full design. Please take a look at
> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema
> if you have a chance.
I finally had a chance to take a look at this, here are some comments:
1) I don't like how transformation rules are tied to a particular helper
and have to be duplicated for each of them. They should be generic and
work with any helper, as helpers are just an implementation detail and
their resulting data is the same.
In fact, I think I would prefer if the CSR was generated using
python-cryptography's CertificateSigningRequestBuilder [1] rather than
openssl or certutil or any other command line tool.
2) The schema seems unnecessarily complex. I think all we need is a
single new multi-value attribute in certprofile. For your S/MIME
example, it could be something like:
attr: subjectname=CN={subject.cn},{subject_base}
attr: san_rfc822name={subject.email}
attr: san_directoryname={subject.dn}
Honza
[1]
<https://cryptography.io/en/latest/x509/reference/#x-509-csr-certificate-signing-request-builder-object>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list