[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 0037 Store issuser DN in certificate records

On 6/11/2015 9:24 AM, Fraser Tweedale wrote:
This patch causes Issuer DN to be stored in certificate records
using existing (unused) 'issuerName' attribute schema.

This will allow me to change sub-CAs implementation to a shared
certificate repo which means I don't have to worry about range
management anymore :)  But I think it is a sensible change in its
own right.

UI / CLI filters for issuer can come later - there's a TODO for that
on my tracking etherpad[1] and I will file a ticket later.

[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress


The patch itself looks good, but we also need to consider the existing certificate records in the database that do not have the issuerName. Two possibilities:

1. Add issuerName into all existing certificate records using a database upgrade script.

2. Maintain two types of certs such that:
* Certs issued by the main CA (and standalone sub CA) will continue to have empty issuerName.
* Certs issued by the light-weight sub CA will have non-empty issuerName.

Any preference?

Endi S. Dewata

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]