[Freeipa-users] Reports and questions
Rob Crittenden
rcritten at redhat.com
Mon Jun 7 14:08:48 UTC 2010
Marc Schlinger wrote:
> Hello,
>
> At last I did manage to create and use my certs, but with nss tools.
>
> I've stop using openssl ones, since they are not integrated with
> freeipa. So I encounter no problems.
>
> Last things I'd like to know. I've seen that I'was able to modify the
> content signed certs through this file
>
> /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
>
>
> In this folder "/var/lib/pki-ca/profiles/ca/" there's a lots of cfg
> files, but I do not understant how to "choose" them when signing a request.
>
> I'd need very specific certs for an application, specific extensions,
> but I don't want to add this extensions to all the certs that can be
> issued.
>
> Any hints ?
>
> Thanks,
> Marc Schlinger
dogtag issues different types of certificates through the configuration
files you're seeing. They call them profiles.
IPA supports only a single profile right now, the caIPAserviceCert profile.
Adding support for other profiles is possible but would require changes
in both the IPA RA backend and in the IPA cert plugin. If you'd be
interested in pursuing that I can give some guidance on how that might
be done.
rob
More information about the Freeipa-users
mailing list