Bug 1570482
Summary: | Document certificate profiles creation, modification, and management for RHEL IdM | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Alexander Bokovoy <abokovoy> |
Component: | doc-Linux_Domain_Identity_Management_Guide | Assignee: | Marc Muehlfeld <mmuehlfe> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.5 | CC: | jswensso, mkosek, rhel-docs |
Target Milestone: | rc | Keywords: | Documentation |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-16 07:32:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1576720 | ||
Bug Blocks: |
Description
Alexander Bokovoy
2018-04-23 04:13:49 UTC
I need some help to update the documentation. (In reply to Alexander Bokovoy from comment #0) > RHEL documentation on IdM side is lacking a clear explanation on what OIDs > are included in the default certificate profiles and how to specify them > using recommended methods. Can you please provide me the what OIDs are included and details how to specify them? > In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24 > "Managing Certificates for Users, Hosts, and Services" only covers how to > issue certificates using 'ipa cert-request' without explanation of its > parameters. It does not refer to certmonger documentation at all. What parameters should be explained? Only --profile-id= or all? Can you provide me the information that should be added to the docs? To what certmonger docs should chapter 24 refer? To https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/certmongerx ? > There is a reference to the defaults for profiles in RHCS documentation but > it is very easy to miss. I can move the > For details on supported certificate profile configuration, see Defaults Reference and Constraints Reference in the Red Hat Certificate System Administration Guide. paragraph to a new small separate section ("Creating a Certificate Profile"). Then it's easier to find. The problem with documenting OIDs is that they are coming from Dogtag and while FreeIPA is using Dogtag profiles, it doesn't define them itself. So it is probably better to have that information clearly referenced in Dogtag documentation and then linked to IdM guide. For certmoner docs reference you are linking the right chapter, thanks. All previews are temporary.(In reply to Alexander Bokovoy from comment #0) > In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24 > "Managing Certificates for Users, Hosts, and Services" only covers how to > issue certificates using 'ipa cert-request' without explanation of its > parameters. Step 3 in http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#requesting-cert-certutil explains the other available options of "ipa cert-request". > It does not refer to certmonger documentation at all. I've added "24.1.1.3. Requesting New Certificates Using Certmonger": http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#reqesting-new-certificates-using-certmonger > It doesn't provide any table with OIDs from the default profile in IPA. > There is a reference to the defaults for profiles in RHCS documentation but > it is very easy to miss. I linked the RHCS docs in the new "24.4.1. Creating a Certificate Profile" section: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#creating-a-certificate-profile Alexander, do these enhancements cover the docs updates you requested or does anything else needs to be added or explained? Yes, this all now looks quite good. The only odd thing I noticed is "24.1.1.2. Requesting New Certificates Using openSSL". I think it would be good to change this to "24.1.1.2. Preparing a certificate request with multiple SAN fields using openSSL" and mention that the resulting certificate request can be used with 'ipa cert-request' command. The update is now available on the Customer Portal. |