[Pki-devel] [PATCH] Lightweight CAs
Endi Sukma Dewata
edewata at redhat.com
Fri Sep 18 19:11:27 UTC 2015
On 9/18/2015 1:46 PM, Ade Lee wrote:
>> 6. Assuming authority DN is unique, we can add --issuer <DN> option
>> tothese commands:
>> * pki ca-cert-find --issuer <dn>
>> * pki ca-cert-request-submit --issuer <dn>
>> * pki client-cert-find --issuer <dn>
>> * pki client-cert-request --issuer <dn>
>>
>
> If we do this, then we need to be sure that the DN is normalized - both
> on input -- ie. when the subca is created (we need to do this in any
> case) and also on processing in the CLI.
>
> I'm ok with offering this as an option (maybe --issuer_dn), but the
> primary (and initially required option) will be using UUID. We can
> defer this mechanism to another ticket/patch. Please open one.
Per IRC discussion we agreed with these options:
* --issuer-id <ID>
* --issuer-dn <DN>
to be added to the ca-cert-* and client-cert-request commands.
For the client-cert-find command we can only provide this option:
* --issuer-dn <DN>
since issuer ID is irrelevant on the client.
Personally I think the issuer DN would be more useful since that's the
value that you see in certificates, so it's more consistent everywhere,
and no need to do a lookup to find the issuer ID. Also, although most
likely we will copy & paste the ID or DN anyway, the DN is easier to
read and confirm that you're submitting the request to the right authority.
--
Endi S. Dewata
More information about the Pki-devel
mailing list