[Freeipa-devel] [RFE] CA-less install
Orion Poplawski
orion at cora.nwra.com
Thu Mar 28 02:19:50 UTC 2013
On 03/27/2013 10:42 AM, Petr Viktorin wrote:
> On 03/27/2013 05:09 PM, Rob Crittenden wrote:
> [...]
>>> Well, I don't like how PEM file duplicates an unnecessary amount of
>>> information (the whole certificate). Also, copy-pasting subject might be
>>> faster than exporting certificate in PEM and uploading it to the
>>> server...
>>
>> We're talking a one-time operation. I don't think it's asking too much.
>> It also gives the user some amount of control rather than assuming that
>> whatever tool their using to create the PKCS#12 file is also smart
>> enough to include the right CAs.
>
> Well, to be fair, if there are any intermediate CAs, they need to be in
> the PKCS#12. (In the future there may be support for multiple root CAs,
> which would all get explicit trust. Those would all go in the PEM, so
> intermediate ones must be somewhere else -- in the PKCS#12.)
>
> Anyway I think it's unlikely that everybody will have the certs in the
> right format for IPA by default, whatever that format is.
> Honza has a point, but... If one solution is clearly better (in terms of
> best/common practices in organizations this feature is for), I'm happy
> to change it. Otherwise let's paint the bikeshed with the color I have
> ready :)
FWIW (about $0.02), it did take me a while to figure out how to create
pkcs12 files that included the CA certificate chain out of the PEM files
given to me by my CA that ipa needed. Might be nice to have that in
docs somewhere. But I can live with this color of bikeshed :)
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion at cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
More information about the Freeipa-devel
mailing list