[Freeipa-devel] Is CA certificate storage correct?
Martin Kosek
mkosek at redhat.com
Tue May 20 06:28:48 UTC 2014
Hi there,
I checked the update CA Certificate renewal feature design page and one part
seemed awkward to me:
http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
IIUC, when there are multiple iterations of a certificate stored, there will be
one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
attributes, ipaKeyTrust, ...
Given that LDAP does not guarantee order, how do I identify which cACertificate
belongs to which attribute?
If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
returned, how do I find out which certificate it is? Do I need to go through
all binary blobs, parse them and look which blob matches?
Wouldn't it be better to have just one LDAP entry with one blob, one
ipaKeyUsage, ...? I think it would be then much easier manipulated, LDAP-wise.
Maybe we could store certificates with a timestamp like following?
cn=auditCert-20130520,cn=certificates,cn=ipa,cn=etc,suffix
...
cn=auditCert-20140520,cn=certificates,cn=ipa,cn=etc,suffix
...
Would it be easier to manipulate?
--
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
More information about the Freeipa-devel
mailing list