On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote: > On 19.7.2016 12:05, Jan Cholasta wrote: > > On 19.7.2016 11:54, Fraser Tweedale wrote: > > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote: > > > > Hi, > > > > > > > > On 15.7.2016 07:05, Fraser Tweedale wrote: > > > > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: > > > > > > The attached patch is a work in progress for > > > > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). > > > > > > > > > > > > I am sharing now to make the approach clear and solicit feedback. > > > > > > > > > > > > It has been tested for server install, replica install (with and > > > > > > without CA) and CA-replica install (all hosts running master+patch). > > > > > > > > > > > > Migration from earlier versions and server/replica/CA install on a > > > > > > CA-less deployment are not yet tested; these will be tested over > > > > > > coming days and patch will be tweaked as necessary. > > > > > > > > > > > > Commit message has a fair bit to say so I won't repeat here but let > > > > > > me know your questions and comments. > > > > > > > > > > > > Thanks, > > > > > > Fraser > > > > > > > > > > > It does help to attach the patch, of course ^_^ > > > > > > > > IMO explicit is better than implicit, so instead of introducing > > > > additional > > > > magic around --subject, I would rather add a new separate option for > > > > specifying the CA subject name (I think --ca-subject, for consistency > > > > with > > > > --ca-signing-algorithm). > > > > > > > The current situation - the --subject argument which specifies the > > > not the subject but the subject base, is confusing enough (to say > > > nothing of the limitations that give rise to the RFE). > > > > > > Retaining --subject for specifying the subject base and adding > > > --ca-subject for specifying the *actual* subject DN gets us over the > > > line in terms of the RFE, but does not make the installer less > > > confusing. This is why I made --subject accept the full subject DN, > > > with provisions to retain existing behaviour. > > > > > > IMO if we want to have separate arguments for subject DN and subject > > > base (I am not against it), let's bite the bullet and name arguments > > > accordingly. --subject should be used to specify full Subject DN, > > > --subject-base (or similar) for specifying subject base. > > > > IMHO --ca-subject is better than --subject, because it is more explicit > > whose subject name that is (the CA's). I agree that --subject should be > > deprecated and replaced with --subject-base. > > > > > > > > (I intentionally defer discussion of specific behaviour if one, none > > > or both are specified; let's resolve the question or renaming / > > > changing meaning of arguments first). > > > > > > > > > > By specifying the option you would override the default "CN=Certificate > > > > Authority,$SUBJECT_BASE" subject name. If --external-ca was not used, > > > > additional validation would be done to make sure the subject name meets > > > > Dogtag's expectations. Actually, it might make sense to always do the > > > > additional validation, to be able to print a warning that if a > > > > Dogtag-incompatible subject name is used, it won't be possible to > > > > change the > > > > CA cert chaining from externally signed to self-signed later. > > > > > > > > Honza > > Bump, any update on this? > I have an updated patch that fixes some issues Sebastian encountered in testing, but I've not yet tackled the main change requested by Honza (in brief: adding --ca-subject for specifying that, adding --subject-base for specifying that, and deprecating --subject; Sebastian, see discussion above and feel free to give your thoughts). I expect I'll get back onto this work within the next few days.
Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
