[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)
LiptonB
freeipa-github-notification at redhat.com
Tue Jan 24 05:21:05 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)
LiptonB commented:
"""
@HonzaCholasta, I think I see what you mean about these templates not being dependent on dogtag, and I'm fine with removing the `userCert` dogtag profile from this PR if you don't think it's relevant. Is it ok to leave the `userCert` CSR generation profile, as an example of what the tool can do?
So, do you mean we should no longer consider CSR generation profiles to be associated with IPA profiles? In https://github.com/LiptonB/freeipa/tree/local-cert-build I have code that allows you to run `ipa cert-request --autogenerate --principal someserver --profile-id caIPAserviceCert` and get a cert for the server back in one step. It uses the `caIPAserviceCert` CSR profile to make a CSR that works with the `caIPAserviceCert` IPA profile. So it seems to me that having the profiles linked makes the cert generation experience simpler, and that was the original way this feature was proposed to me. But, if you'd rather have them not be linked, should I modify this command so the CSR profile is specified with a separate flag from the IPA one?
"""
See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-274712673
More information about the Freeipa-devel
mailing list