9:24 a.m.
This patch causes Issuer DN to be stored in certificate records
using existing (unused) 'issuerName' attribute schema.
This will allow me to change sub-CAs implementation to a shared
certificate repo which means I don't have to worry about range
management anymore :) But I think it is a sensible change in its
own right.
UI / CLI filters for issuer can come later - there's a TODO for that
on my tracking etherpad[1] and I will file a ticket later.
[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
Cheers,
Fraser
2:52 p.m.
On 6/11/2015 9:24 AM, Fraser Tweedale wrote:
This patch causes Issuer DN to be stored in certificate records
using existing (unused) 'issuerName' attribute schema.
This will allow me to change sub-CAs implementation to a shared
certificate repo which means I don't have to worry about range
management anymore :) But I think it is a sensible change in its
own right.
UI / CLI filters for issuer can come later - there's a TODO for that
on my tracking etherpad[1] and I will file a ticket later.
[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
Cheers,
Fraser
The patch itself looks good, but we also need to consider the existing
certificate records in the database that do not have the issuerName. Two
possibilities:
1. Add issuerName into all existing certificate records using a database
upgrade script.
2. Maintain two types of certs such that:
* Certs issued by the main CA (and standalone sub CA) will continue to
have empty issuerName.
* Certs issued by the light-weight sub CA will have non-empty issuerName.
Any preference?
--
Endi S. Dewata
8 p.m.
On Mon, Jun 15, 2015 at 02:52:17PM -0500, Endi Sukma Dewata wrote:
On 6/11/2015 9:24 AM, Fraser Tweedale wrote:
>This patch causes Issuer DN to be stored in certificate records
>using existing (unused) 'issuerName' attribute schema.
>
>This will allow me to change sub-CAs implementation to a shared
>certificate repo which means I don't have to worry about range
>management anymore :) But I think it is a sensible change in its
>own right.
>
>UI / CLI filters for issuer can come later - there's a TODO for that
>on my tracking etherpad[1] and I will file a ticket later.
>
>[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>
>Cheers,
>Fraser
The patch itself looks good, but we also need to consider the existing
certificate records in the database that do not have the issuerName. Two
possibilities:
1. Add issuerName into all existing certificate records using a database
upgrade script.
2. Maintain two types of certs such that:
* Certs issued by the main CA (and standalone sub CA) will continue to have
empty issuerName.
* Certs issued by the light-weight sub CA will have non-empty issuerName.
Any preference?
--
Endi S. Dewata
I previously discussed option (2) with Ade, but on reflection I
think an upgrade script is the way to go - the better to have only
the only case to handle elsewhere. I will write the upgrade script.
Thanks,
Fraser
3477
days inactive
3482
days old
2 comments
2 participants
participants (2)
-
Endi Sukma Dewata -
Fraser Tweedale