[Freeipa-users] Reports and questions
Rob Crittenden
rcritten at redhat.com
Fri Jun 11 17:42:45 UTC 2010
Marc Schlinger wrote:
>
>> Adding support for other profiles is possible but would require
>> changes in both the IPA RA backend and in the IPA cert plugin. If
>> you'd be interested in pursuing that I can give some guidance on how
>> that might be done.
>>
>> rob
>
> Yes, I'm interested, I will need this feature soon in order to generate,
> "software" client cert among others things.
> Marc Schlinger
Ok, this is sort of off the top of my head but it should point you in
the right direction.
There are two things that need to change. You need a way to specify the
profile when requesting the cert on the client side (using the ipa
command) and on the server for requesting the right profile.
I would add a --profile or --type argument to takes_options in
cert_request(), something like:
StrEnum('type?',
cli_name='type',
label=_('Certificate type'),
values=(u'user', u'service', u'specialservice'),
),
Next you need to tell the backend what to do with this. Update
ipaserver/plugins/dogtag.py to look something like:
def request_certificate(self, csr, request_type='pkcs10', type=u'service'):
I would add a dictionary somewhere in here that defines something like:
profile_types = (u'user': 'caUserCert', u'service': 'caIPAserviceCert',
u'specialservice': 'foo'}
Then change the call that actually submits the request:
self._sslget('/ca/ee/ca/profileSubmitSSLClient',
self.env.ca_ee_port,
profileId=profile_types[type],
cert_request_type=request_type,
cert_request=csr,
xml='true')
This only gets you part of the way. Currently it is hardcoded in
ipalib/plugins/cert.py that we request only service certificates,
requiruing a service principal to make a request. The resulting
certificate is stored within that principal. You'd have to do something
differently for other cert types.
rob
More information about the Freeipa-users
mailing list