[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
jcholast
freeipa-github-notification at redhat.com
Fri Nov 25 09:37:34 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file
jcholast commented:
"""
To continue the discussion from the mailing list:
>> My point exactly - ca-show output should be equivalent to cert-show on the
>> CA certificate, as far as the certificate and chain are concerned.
>>
> I reused `BaseCertObject.takes_params' and `BaseCertObject._parse'
> to define the params and do most of the work. There is some overlap
> with what `BaseCertObject' defines and fields of the `ca' LDAP
> attribute so these are ignored/removed.
What I actually meant is that `cert-show` should also have a `chain` option and `certificate_chain` param in the future, which should work the same as in `ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out of the scope of ticket 6178.
>> I think I would prefer if the certificate was always returned by the server,
>> but the chain only if --chain (or --all) is specified.
>>
>> Additionally, ca-add should also get the new options and do all of this.
>>
> I've implemented this. `--chain' implies `--all' but otherwise
> remains a client-side only param.
This does not scale well - if a new unrelated attribute is added to the CA LDAP entry, or if a new param is added to the CA object, `--chain` will imply retrieving them, which is not something we want. It should really be the other way around and `--all` should imply `--chain`, which also means `--chain` has to be defined on the server side.
>> Generator expressions are generally preferred over map():
>>
>> data = '\n'.join(to_pem(der) for der in ders)
>>
> Preferred by whom? ;)
Pythonistas, I believe :)
"""
See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262916556
More information about the Freeipa-devel
mailing list