Learn more about these different git repos.
Other Git URLs
Currently, getcert will generate a CSR based off of a number of input parameters. It allows for some common extensions:
Parameters for the signing request: -N NAME set requested subject name (default: CN=<hostname>) -U EXTUSAGE set requested extended key usage OID -u KEYUSAGE set requested key usage value -K NAME set requested principal name -D DNSNAME set requested DNS name -E EMAIL set requested email address -A ADDRESS set requested IP address
In cases where a profile may require other extensions, it would be nice to be able to provide a CSR to be supplied to getcert.
Metadata Update from @nkinder: - Issue set to the milestone: 0.0 NEEDS_TRIAGE
I was thinking about this today (I am implementing support for the MS V2 certificate template extension).
I don't think providing the CSR is the right approach for certmonger; much of the value of certmonger is in certmonger managing the keys & certdb, and automatically generating the CSR. This approach would require the CSR to be generated outside certmonger - probably by a human user (poor human...)
Instead, if there is a real use case (the fact that I'm implementing an extension right now suggests there probably is), I'd suggest a new template option that can take a list of extension OIDs, criticality bool, and encoded extension data. e.g. something like.
getcert request <snip> \ --extensions 1.2.3.4:0:base64extdata,1.2.42.311.66:1:dataOfAnotherExtension
i.e. it takes a comma separated list of colon-separated tuples (oid, critical {0,1}, extdata {base64-encoded})
(oid, critical {0,1}, extdata {base64-encoded})
I've got a use case for this feature.
I've got some devices that are able to generate private keys and output a CSR.
I'd like to use certmonger to submit those CSRs to FreeIPA for signing. certmonger will take care of re-submitting the CSR when the signed certificate is close to expiring. A post-save command will upload the signed certificate to the devices.
Possible UI: a new --csrfile= option that may be specified instead of --keyfile= when --certfile= is given:
--csrfile=
--keyfile=
--certfile=
# << EOF cat > /etc/pki/tls/private/device1.csr <paste> EOF # getcert request \ --certfile=/etc/pki/tls/certs/device1.crt \ --csrfile=/etc/pki/tls/private/device1.csr \ --after-command=/path/to/post-save.sh
Login to comment on this ticket.