[Freeipa-devel] Is CA certificate storage correct?
Jan Cholasta
jcholast at redhat.com
Tue May 20 09:16:15 UTC 2014
On 20.5.2014 08:28, Martin Kosek wrote:
> Hi there,
>
> I checked the update CA Certificate renewal feature design page and one part
> seemed awkward to me:
>
> http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
>
> IIUC, when there are multiple iterations of a certificate stored, there will be
> one LDAP object with multiple cACertificate attributes, multiple ipaKeyUsage
> attributes, ipaKeyTrust, ...
>
> Given that LDAP does not guarantee order, how do I identify which cACertificate
> belongs to which attribute?
There is no such relation, ipaKey* attributes apply to all of the
cACertificate attributes.
>
> If I do ldapsearch for some specific ipaKeyUsage and I get this LDAP record
> returned, how do I find out which certificate it is? Do I need to go through
> all binary blobs, parse them and look which blob matches?
No.
>
> Wouldn't it be better to have just one LDAP entry with one blob, one
> ipaKeyUsage, ...? I think it would be then much easier manipulated, LDAP-wise.
> Maybe we could store certificates with a timestamp like following?
>
> cn=auditCert-20130520,cn=certificates,cn=ipa,cn=etc,suffix
> ...
>
> cn=auditCert-20140520,cn=certificates,cn=ipa,cn=etc,suffix
> ...
>
> Would it be easier to manipulate?
>
No.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list