1731483 – RFE: Ship a default profile and support using custom profiles for use when creating sub-CA signing certs

Bug 1731483 - RFE: Ship a default profile and support using custom profiles for use when creating sub-CA signing certs

Summary: RFE: Ship a default profile and support using custom profiles for use when cr...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-19 13:55 UTC by dminnich
Modified:	2020-02-06 19:57 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description dminnich 2019-07-19 13:55:45 UTC

Description of problem:

I'd like the ability to to set pathlen on subcas.  I can also imagine use cases where I'd want to set Validity lengths or NameConstraints differently on per sub-ca basis.  

My thought is it would be cool if ipa ca-add supported a --profile-id  in the same way ipa cert-request does.  It would default to some profile you ship similar to caIPAserviceCert.   If I wanted something else I could easily download, edit and upload the custom profile, then tell ca-add to use it.

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-10.el7_6.2.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.