[Pki-devel] [PATCH] 0037 Store issuser DN in certificate records
Fraser Tweedale
ftweedal at redhat.com
Tue Jun 16 01:00:18 UTC 2015
On Mon, Jun 15, 2015 at 02:52:17PM -0500, Endi Sukma Dewata wrote:
> On 6/11/2015 9:24 AM, Fraser Tweedale wrote:
> >This patch causes Issuer DN to be stored in certificate records
> >using existing (unused) 'issuerName' attribute schema.
> >
> >This will allow me to change sub-CAs implementation to a shared
> >certificate repo which means I don't have to worry about range
> >management anymore :) But I think it is a sensible change in its
> >own right.
> >
> >UI / CLI filters for issuer can come later - there's a TODO for that
> >on my tracking etherpad[1] and I will file a ticket later.
> >
> >[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> >
> >Cheers,
> >Fraser
>
> The patch itself looks good, but we also need to consider the existing
> certificate records in the database that do not have the issuerName. Two
> possibilities:
>
> 1. Add issuerName into all existing certificate records using a database
> upgrade script.
>
> 2. Maintain two types of certs such that:
> * Certs issued by the main CA (and standalone sub CA) will continue to have
> empty issuerName.
> * Certs issued by the light-weight sub CA will have non-empty issuerName.
>
> Any preference?
>
> --
> Endi S. Dewata
I previously discussed option (2) with Ade, but on reflection I
think an upgrade script is the way to go - the better to have only
the only case to handle elsewhere. I will write the upgrade script.
Thanks,
Fraser
More information about the Pki-devel
mailing list