Discussion:
[Freeipa-devel] Re: MS AD-CS profile support (request for feedback)
Fraser Tweedale
2017-05-19 01:04:51 UTC
Permalink
Hi Fraser,
Hi all,
I'm going to start work on [1] soon. This ticket is to add support
for specifying the desired template (profile) name or OID to use
when installing IPA with AD-CS as the external CA. Currently, the
template name is hardcoded to "SubCA", which is the default sub-CA
template in AD-CS.
https://bugzilla.redhat.com/show_bug.cgi?id=1427105
This is actually not much work. The most difficult part is to
ensure that the CSR extension is properly populated when renewing.
But I first want to have a discussion here about the user
experience.
--external-ca-type=ms-ca,MyTemplateName # template name
--external-ca-type=ms-ca,123.456.21348.13 # template OID
--external-ca-type=ms-ca,123.456.21348.13,101 # template OID + major version no
--external-ca-type=ms-ca,123.456.21348.13,101,6 # template OID + major version no + minor version no
But because --external-ca-type is a Enum knob, I'm not inclined to
extend it.
+1
Instead, I think I will add another option for
specifying these data, e.g.
--external-ca-parameters=MyTemplateName
--external-ca-parameters=123.456.21348.13,101,6
The interpretation of the parameters shall depend on the external CA
type. For 'generic', they are ignored. For 'ms-ca', the
aforementioned interpretation is used.
I would prefer a simple --external-ca-profile option rather than a complex
--external-ca-parameters "god" option with differing behavior based on CA
type, as the former will continue to work nicely when external CA install is
handled using certmonger.
Fair enough. My only (minor) concern is the different terminology
("profile" vs "template"). Also if other kinds of options are
needed in future, we'd need yet another option for that, but we
don't need to worry about that now :)

So I will add --external-ca-profile. Thanks for your feedback.

Cheers,
Fraser
ipa-server-install, ipa-ca-install, and ipa-cacert-manage would
learn the new option.
Any thoughts/feedback?
Honza
--
Jan Cholasta
_______________________________________________
FreeIPA-devel mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe sen

Loading...