[Pki-devel] [PATCH] 647 Added default subject DN for pki client-cert-request.

Endi Sukma Dewata edewata at redhat.com
Wed Sep 30 23:33:34 UTC 2015 

On 9/30/2015 4:17 PM, Christina Fu wrote:
> Hi Endi,
> Thanks for adding this, and sorry for adding the comment after the fact...
>
> Just one suggestion in the man pages where subjectDN is described. You
> might want to add a note that it is up to the profile to accept or
> ignore the user specified subjetDN.  This way, users won't be surprised
> if what they specified is not what they see in the end.
>
> conditional ACK on that note in man pages.
>
> thanks,
> Christina

Thanks! I updated the man page and pushed it to master.

-- 
Endi S. Dewata
-------------- next part --------------
>From db403e74eb8a21ccd6192c57768ece6211aa2c79 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Sun, 27 Sep 2015 17:23:48 +0200
Subject: [PATCH] Added default subject DN for pki client-cert-request.

The pki client-cert-request CLI has been modified to generate a
default subject DN if it's not specified. The man page has been
updated accordingly.

https://fedorahosted.org/pki/ticket/1463
---
 base/java-tools/man/man1/pki-client.1              | 17 +++++++++++----
 .../cmstools/client/ClientCertRequestCLI.java      | 24 ++++++++++++++--------
 2 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/base/java-tools/man/man1/pki-client.1 b/base/java-tools/man/man1/pki-client.1
index 65e61855574e0801bdbf936b6299e54ee3857beb..da5de7cbf91ca6d14f81599c821a4e430093e8c4 100644
--- a/base/java-tools/man/man1/pki-client.1
+++ b/base/java-tools/man/man1/pki-client.1
@@ -21,7 +21,7 @@ pki-client \- Command-Line Interface for managing the security database on Certi
 \fBpki\fR [CLI options] \fBclient\fR
 \fBpki\fR [CLI options] \fBclient-init\fR [command options]
 \fBpki\fR [CLI options] \fBclient-cert-find\fR [command options]
-\fBpki\fR [CLI options] \fBclient-cert-request\fR <subject DN> [command options]
+\fBpki\fR [CLI options] \fBclient-cert-request\fR [subject DN] [command options]
 \fBpki\fR [CLI options] \fBclient-cert-import\fR [nickname] [command options]
 \fBpki\fR [CLI options] \fBclient-cert-mod\fR <nickname> [command options]
 \fBpki\fR [CLI options] \fBclient-cert-show\fR <nickname> [command options]
@@ -47,7 +47,7 @@ This command is to create a new security database for the client.
 This command is to list certificates in the client security database.
 .RE
 .PP
-\fBpki\fR [CLI options] \fBclient-cert-request\fR <subject DN> [command options]
+\fBpki\fR [CLI options] \fBclient-cert-request\fR [subject DN] [command options]
 .RS 4
 This command is to generate and submit a certificate request.
 .RE
@@ -82,13 +82,22 @@ To create a new database execute the following command:
 
 .B pki -d <security database location> -c <security database password> client-init
 
-To view certificates in the security database:
+To list certificates in the security database:
 
 .B pki -d <security database location> -c <security database password> client-cert-find
 
 To request a certificate:
 
-.B pki -d <security database location> -c <security database password> client-cert-request <subject DN>
+.B pki -d <security database location> -c <security database password> client-cert-request [subject DN]
+
+The subject DN requirement depends on the certificate profile being requested.
+Some profiles may require the user to provide a subject DN in a certain
+format. Some other profiles may generate their own subject DN.
+
+Certain profiles may also require additional authentication. To authenticate,
+a username and a password can be specified using the --username and --password
+options, respectively. If the subject DN is not specififed the CLI may use the
+username to generate a default subject DN "UID=<username>".
 
 To import a certificate from a file into the security database:
 
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 370a7be5b1d09b8b445a82fce3c2185607e9ccae..3ec4745e6a38058d7bb697df5f367c8831bfa216 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -68,7 +68,7 @@ public class ClientCertRequestCLI extends CLI {
     }
 
     public void printHelp() {
-        formatter.printHelp(getFullName() + " <Subject DN> [OPTIONS...]", options);
+        formatter.printHelp(getFullName() + " [Subject DN] [OPTIONS...]", options);
     }
 
     public void createOptions() {
@@ -151,14 +151,23 @@ public class ClientCertRequestCLI extends CLI {
             System.exit(-1);
         }
 
-        if (cmdArgs.length < 1) {
-            System.err.println("Error: Missing subject DN.");
-            printHelp();
-            System.exit(-1);
+        String certRequestUsername = cmd.getOptionValue("username");
+
+        String subjectDN;
+
+        if (cmdArgs.length == 0) {
+            if (certRequestUsername == null) {
+                System.err.println("Error: Missing subject DN or request username.");
+                printHelp();
+                System.exit(-1);
+            }
+
+            subjectDN = "UID=" + certRequestUsername;
+
+        } else {
+            subjectDN = cmdArgs[0];
         }
 
-        String subjectDN = cmdArgs[0];
-
         // pkcs10, crmf
         String requestType = cmd.getOptionValue("type", "pkcs10");
 
@@ -316,7 +325,6 @@ public class ClientCertRequestCLI extends CLI {
             }
         }
 
-        String certRequestUsername = cmd.getOptionValue("username");
         if (certRequestUsername != null) {
             request.setAttribute("uid", certRequestUsername);
         }
-- 
2.4.3

More information about the Pki-devel mailing list