On 27.7.2016 19:06, Ben Lipton wrote: > Hi all, > > I think the automatic CSR generation feature > (https://fedorahosted.org/freeipa/ticket/4899, > http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation) is > stable enough to review now. The following are summaries of the attached > patches: > 0004: LDAP schema changes for the new feature > 0005: Basic API for new objects and CSR generation > 0006: Update install automation to create some default mapping rules > 0007: Implement the lookups and text processing that generates the CSR config > 0008 and 0009: Implement some actual transformation rules so that the feature > is usable > 0010: Add a new cert profile for user certs, with mappings > 0011: Implement import/export of cert profiles with mappings > 0012: Tests for profile import/export > > Generally speaking, later patches depend on earlier ones, but I don't > anticipate any problems from committing earlier patches without later ones. > > If you prefer, you can also comment on the pull request version: > https://github.com/LiptonB/freeipa/pull/4. Note that I may force push on this > branch. > > Allocation of OIDs for schema change also needs review: > https://code.engineering.redhat.com/gerrit/#/c/80061/ > > Known issues: > - When the requested principal does not have some of the requested data, > produces funny-looking configs with extra commas, empty sections, etc. They > are still accepted by my copies of openssl and certutil, but they look ugly. > - The new objects don't have any ACIs, so for the moment only admin can run > the new commands. > - Does not yet have support for prompting user for field values, so currently > all data must come from the database. > - All processing happens on the server side. As discussed in a previous > thread, it would be desirable to break this out into a library so it could be > used client-side. > > Very excited to hear your thoughts!
Hi Ben, I wanted to give it a try from user's point of view first, before diving into implementation details. Here are some observations: 0. Design pages are using term "helper" and it is used even as option in the example with smartcards. Please fix either design page or the code so they are consistent. 1. The "ipa cert-request" command is missing options --autofill and --use (aka helper aka format :-) which are mentioned in the design pages. 2. "ipa cert_get_requestdata" command passes even without --profile-id and generates empty config. I think that this is not expected :-) 3. "ipa cert_get_requestdata --format=openssl" prints the text to stdout including label "Configuration file contents:". This is hard to use because simple redirection like "ipa cert_get_requestdata --format=openssl > config" will not give you valid OpenSSL config file - it needs hand-editing. It would be good to add --out parameter you envisioned in the design page. Please ask jcholast for proper name and semantics :-) With --out option the command can be used to generate valid config (or script if certutil was selected). 4. "ipa cert_get_requestdata --format=openssl" could print hint what OpenSSL command should be executed on the generated config file. For testing I've used command "openssl req -new -out csr -text -config config" (stolen and modified from smart card example). Also, as a second hint, it could print the IPA command which needs to be used to sign the CSR generated by the helper. 5. My naive attempt to get userCert for admin failed: $ ipa cert_get_requestdata --format=openssl --principal=admin --profile-id=userCert > usercert.conf # remove the trailing label $ openssl req -new -out csr -text -config usercert.conf $ ipa cert-request --principal=admin --profile-id=userCert usercert.csr ipa: ERROR: invalid 'csr': No Common Name was found in subject of request. I'm attaching files generated by the commands above. I did not modify anything in the templates or profiles, just tried to use the new profile added by freeipa-blipton-0010-Add-a-new-cert-profile-for-users.patch . Hopefully I will get to other things soon (but not this week). Anyway, all this seems like (expected) initial problems. In general the first touch with user interface seems reasonable and needs only small improvements. Good work! -- Petr^2 Spacek
[ req ] prompt = no encrypt_key = no distinguished_name = sec0 [ sec0 ] O=DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM UID=admin
usercert.csr
Description: application/pkcs10
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
