<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 27/05/15 15:53, Fraser Tweedale wrote: </div> <blockquote cite="mid:20150527135315.GC24915@dhcp-40-8.bne.redhat.com" type="cite"> <pre wrap="">This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is already multi-value). The revoke-previous-cert behaviour of host-mod and user-mod has been removed but revocation behaviour of -del and -disable is preserved. The latest profiles/caacl patchset (0001..0013 v5) depends on this patch for correct cert-request behaviour. There is one design question (or maybe more, let me know): the `--out=FILENAME' option to {host,service} show saves ONE certificate to the named file. I propose to either: a) write all certs, suffixing suggested filename with either a sequential numerical index, e.g. "cert.pem" becomes "cert.pem.1", "cert.pem.2", and so on; or b) as above, but suffix with serial number and, if there are different issues, some issuer-identifying information. Let me know your thoughts. Thanks, Fraser </pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> Is there a possible way how to store certificates into one file? I read about possibilities to have multiple certs in one .pem file, but I'm not cert guru :) I personally vote for serial number in case there are multiple certificates, if ^ is no possible. 1) + if len(certs) > 0: please use only, if certs: 2) You need to re-generate API/ACI.txt in this patch 3) syntax error: + for dercert in certs_der 4) command ipa user-mod ca_user --certificate=<ceritifcate> removes the current certificate from the LDAP, by design. Should be the old certificate(s) revoked? You removed that part in the code. only the --addattr='usercertificate=<cert>' appends new value there <pre class="moz-signature" cols="72">-- Martin Basti</pre> </body> </html>