[Freeipa-devel] Re: [BLOG/DESIGN] cert-request revocation changes

Simo Sorce wrote: Multiple certs is fine but the convention to date has been one cert per service so that usage can be more easily tracked. If they want that can have a single cert and share it everywhere but then things are more opaque and the systems harder to manage. You can't easily answer the question "What TLS services are we running on bob?" I can't quite get my head around Fraser's scenario Certificate for new purpose (non-renewal). New purpose for the same service? Do you have any examples of that? Beyond the fact that we'll have to come up with some other scheme to sift the database looking for expired certs to remove from usercertificate. Remember that storing usercertificate in host/service entries provides really no value whatsoever except to pin the fact that the service has a certificate at all. So being able to store 0, 1 or more doesn't really buy you a lot unless you are using these services to bind as clients. Even now when you display a service it provides the details for only ONE certificate. user certs are another story altogether and not covered here. Sure, assuming they actually use the CRL or OCSP. I'd be ok making it a config option. I think I'd rather not extend the cert-request API for the revocation case and use post-command scripts to do it instead. This is an IPA policy so it should live within IPA. rob