[Freeipa-devel] [RFE] CA-less install

[Dmitri Pal]

On 03/27/2013 10:19 PM, Orion Poplawski wrote:
> On 03/27/2013 10:42 AM, Petr Viktorin wrote:
>> On 03/27/2013 05:09 PM, Rob Crittenden wrote:
>> [...]
>>>> Well, I don't like how PEM file duplicates an unnecessary amount of
>>>> information (the whole certificate). Also, copy-pasting subject
>>>> might be
>>>> faster than exporting certificate in PEM and uploading it to the
>>>> server...
>>>
>>> We're talking a one-time operation. I don't think it's asking too much.
>>> It also gives the user some amount of control rather than assuming that
>>> whatever tool their using to create the PKCS#12 file is also smart
>>> enough to include the right CAs.
>>
>> Well, to be fair, if there are any intermediate CAs, they need to be in
>> the PKCS#12. (In the future there may be support for multiple root CAs,
>> which would all get explicit trust. Those would all go in the PEM, so
>> intermediate ones must be somewhere else -- in the PKCS#12.)
>>
>> Anyway I think it's unlikely that everybody will have the certs in the
>> right format for IPA by default, whatever that format is.
>> Honza has a point, but... If one solution is clearly better (in terms of
>> best/common practices in organizations this feature is for), I'm happy
>> to change it. Otherwise let's paint the bikeshed with the color I have
>> ready :)
>
> FWIW (about $0.02), it did take me a while to figure out how to create
> pkcs12 files that included the CA certificate chain out of the PEM
> files given to me by my CA that ipa needed.  Might be nice to have
> that in docs somewhere.  But I can live with this color of bikeshed :)
>
>
>
Would you mind writing a page or a blog about it?
That would be really appreciated.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/