[Pki-devel] [PATCH] 0037 Store issuser DN in certificate records
Endi Sukma Dewata
edewata at redhat.com
Mon Jun 15 19:52:17 UTC 2015
On 6/11/2015 9:24 AM, Fraser Tweedale wrote:
> This patch causes Issuer DN to be stored in certificate records
> using existing (unused) 'issuerName' attribute schema.
>
> This will allow me to change sub-CAs implementation to a shared
> certificate repo which means I don't have to worry about range
> management anymore :) But I think it is a sensible change in its
> own right.
>
> UI / CLI filters for issuer can come later - there's a TODO for that
> on my tracking etherpad[1] and I will file a ticket later.
>
> [1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>
> Cheers,
> Fraser
The patch itself looks good, but we also need to consider the existing
certificate records in the database that do not have the issuerName. Two
possibilities:
1. Add issuerName into all existing certificate records using a database
upgrade script.
2. Maintain two types of certs such that:
* Certs issued by the main CA (and standalone sub CA) will continue to
have empty issuerName.
* Certs issued by the light-weight sub CA will have non-empty issuerName.
Any preference?
--
Endi S. Dewata
More information about the Pki-devel
mailing list