Turbo Fredriksson wrote:
On 9 Apr 2017, at 14:24, Howard Chu hyc@symas.com wrote:
Please read the slapo-autoca(5) manpage for more info.
This is exactly how easy I’m envisioning this to be! Brilliant, thanx!
So if I’m understanding this correctly, all you have to do to request a certificate for a specific object, is to read the “userPrivateKey;binary” of that RDN?
You must request exactly two attributes, otherwise the overlay ignores it: userCertificate;binary userPrivateKey;binary
Now, I know it’s well to early for feature requests :D, but I have a few questions (and a feature request :):
1) Why is both certificates (private AND public) in the same attribute? I can see the reason to have the public … “public” (with a much more relaxed ACL/ACI).
They aren't, they are in two separate attributes.
2) What if I want a new certificate for that RDN? Such as the previous one is [about to] expire and it needs to be refreshed (preferably (?) without destroying/removing the old one).
Currently you would have to delete the old one first.
3) Is the CAs _public_ key available as well? Same reason as point 1.
If the overlay generated it, then it is stored in cACertificate;binary in the suffix entry of the database.
4) If I already have a CA “on premises” and that have created an intermediate CA I’d like to use for “autoca”, could this be done?
You can replace cACertificate;binary and cAPrivateKey;binary of the suffix entry to force this.