[Freeipa-devel] Certificate enrollment, principal names

[Nalin Dahyabhai]

I think I'm getting closer to having certmonger (the provider of the
ipa-getcert command) be useful enough to throw certificate enrollment
requests at the IPA server, and I've got a couple of questions about how
the server decides what it will issue and what it puts in the
certificates that it issues.

First, how we are we going to be expected to pass, to the server,
information about the certificate we'd like it to issue?

Until now, I've been storing the principal name in a subjectAltName
value in an extensionRequest attribute in the signing request.  I can
actually put quite a bit of information in extensionRequests.

It's not a lot of trouble to also provide that information along with
the signing request (as 1.9.0 expects, at least for the Kerberos
principal name), but if the server's going to be taking direction from
the client on any of these things, it might be more future-proof if it
could parse the request and validate its contents directly.

This would make adding a requested dnsName subjectAltName possible
without breaking any of the existing interfaces -- the client could
request it, or not, or more than one value, and the server would pick
and choose from everything that the client requested when deciding what
to put into a certificate.

The other question is about client authorization:  have we set down the
rules about which client identities are allowed to request what, and
what they get?

I ask because I think that we'll have to use the client host's identity
(via creds obtained using its keytab) to handle the case where the
connection to the CA doesn't become available until long after the
admin's logged out, but when I try that now, requests submitted using
the host's identity are being denied by the access control mechanisms.

Anyone have some insight to share here?

Thanks,

Nalin