Re: [Pki-devel] [PATCH] Lightweight CAs
On 9/18/2015 1:46 PM, Ade Lee wrote:
> 6. Assuming authority DN is unique, we can add --issuer
<DN> option
> tothese commands:
> * pki ca-cert-find --issuer <dn>
> * pki ca-cert-request-submit --issuer <dn>
> * pki client-cert-find --issuer <dn>
> * pki client-cert-request --issuer <dn>
>
If we do this, then we need to be sure that the DN is normalized - both
on input -- ie. when the subca is created (we need to do this in any
case) and also on processing in the CLI.
I'm ok with offering this as an option (maybe --issuer_dn), but the
primary (and initially required option) will be using UUID. We can
defer this mechanism to another ticket/patch. Please open one.
Per IRC discussion we agreed with these options:
* --issuer-id <ID>
* --issuer-dn <DN>
to be added to the ca-cert-* and client-cert-request commands.
For the client-cert-find command we can only provide this option:
* --issuer-dn <DN>
since issuer ID is irrelevant on the client.
Personally I think the issuer DN would be more useful since that's the
value that you see in certificates, so it's more consistent everywhere,
and no need to do a lookup to find the issuer ID. Also, although most
likely we will copy & paste the ID or DN anyway, the DN is easier to
read and confirm that you're submitting the request to the right authority.
--
Endi S. Dewata