Re: [Pki-devel] [PATCH] 93, 94 - changes for a common admin user

Some issues: 1. The pki_use_common_admin_user is set to true in [Common] but overwritten to false in [CA]: [Common] pki_use_common_admin_user=true [CA] pki_use_common_admin_user=false If I understood correctly it's done this way to make sure that if we use a common admin user, only CA will generate the certificate file, but not the other subsystems: if not config.str2bool(master['pki_clone']) and \ not config.str2bool(master['pki_use_common_admin_user']): ... create cert file ... Having conflicting pki_use_common_admin_users in the same config file is confusing to users because we are actually using a common admin user for all subsystems including CA so the value should be "true". I think it would be better to check for CA explicitly in the code: [Common] pki_use_common_admin_user=true if not config.str2bool(master['pki_clone']): if not config.str2bool(master['pki_use_common_admin_user']) or master['pki_subsystem'] == 'CA': ... create cert file ... 2. The location of the admin cert was changed from pki_client_dir to pki_database_path. I think we should keep it in pki_client_dir because the certificate belongs to the admin, not the instance, so it should be in the admin's home directory. As long as the other subsystems are created by the same admin the code should be able to read the cert from the admin's home directory. So the following parameters should point to the admin's home directory: - pki_client_admin_cert_p12 - pki_admin_cert_file 3. The default pki_admin_nickname is too long: PKI Administrator's example.com Security Domain ID It can be simplified without losing information: PKI Administrator of example.com 4. The common cert files are called ca_admin.*. I think we should remove the "ca_" to reflect that the cert works on all subsystems. -- Endi S. Dewata On 11/29/2012 4:09 PM, Ade Lee wrote: