--On Sunday, April 09, 2017 9:57 PM +0100 Howard Chu hyc@symas.com wrote:
You cannot write a decent design from scratch. It's important to have a baseline of functionality to get an idea of scope. The current overlay provides that baseline.
Some immediate things I see after reading the man page for the current autoca are:
a) Not going to work well for databases that use "" as a suffix, and then support multiple domains beneath that (Zimbra had many customers that did this. One customer handled 10k unique top level domains.)
b) Related to the above, importing CA's for those customer domains would fail (because they aren't located in the suffix)
c) While there is an option to specify the keysize, there is no option to specify the digest to use. There should be a note on what the default digest is, and an option to use other digests. With Zimbra, we had a default of sha256, and options of ripemd160, sha, sha1, sha224, sha256, sha384, sha512
d) I don't see a mechanism for creating star certs, which can be fairly critical. I also don't see a mechanism for doing multiple DNS names, which can be critical for a server with several CNAMES names.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com