Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying a 'primary' domain for the certificate #17

Closed
wants to merge 7 commits into from
Closed

Allow specifying a 'primary' domain for the certificate #17

wants to merge 7 commits into from

Conversation

casselc
Copy link
Contributor

@casselc casselc commented Oct 16, 2018

Currently the ordering of domains supplied to New-ACMEOrder is not preserved, because the AcmeOrder object is created from the server response which, in practice, appears to return the Identifiers sorted alphabetically.

These updates:

  • Add a PrimaryDomain field to the AcmeOrder class
  • Updates AcmeOrder constructor logic to initialize PrimaryDomain to the first Identifier so it should be compatible with old CliXML exports.
  • Add a PrimaryDomain parameter to the New-Order cmdlet
  • Updates the logic of the New-Order cmdlet to set the initial value of PrimaryDomain on the AcmeOrder to the value of the PrimaryDomain parameter if specified, or the value of the first supplied Identifier otherwise.
  • Add a primaryDomain parameter to the GenerateCsr method that is used as the CN/Subject of the certificate

@glatzert
Copy link
Collaborator

I think there should also be a new Cmdlet Set-Order, which allows setting the PrimaryDomain.
This is not essential, since getting the order from State, changing it and Store it in the state can be done manually, but I think it would be convenient.
Also the PrimaryDomain might be a good candidate to implement a getter and a setter, since it is (probably) crucial, that it's part of the SAN list.

@casselc
Copy link
Contributor Author

casselc commented Oct 18, 2018

Re: Set-Order and getter/setter - I can do that, but it will only be effective if run prior to Complete-Order since the server Order is immutable after creation, which leads to...

I was wondering if it might not be better to leave AcmeOrder matching the protocol object and instead add something like a new CertificateRequest class and associated cmdlets that would encapsulate the primary domain, SAN list, key settings, any other CSR/export options (Friendly Name,etc) and the active AcmeOrder associated with the request.

@glatzert
Copy link
Collaborator

I've seen you implemented the PrimaryName on Complete-Order at first - this would also make any change of the Order object unneccesary. Also there the option to merge (instead of reset) the list of identifiers on Update-Order, so the first identifier is always the same.

Nevertheless the CertificateRequest Object might be an Option, but I'd like to keep the order as the "principal object". So an order could have a CSRSettings. I did not dig too deep into the Certificate Issuance of LE or what is supported in CSR and what not, so if it's more than just the CN, that could be an interesting approach. FriendlyName is - as far as I know - more a Windows thing, is it?
That could be added, but we'd have to be careful about availabiltiy on other Platforms.

I'll open an Issue to discuss this further.

@glatzert glatzert mentioned this pull request Oct 18, 2018
Closed
@glatzert glatzert mentioned this pull request Dec 30, 2018
Merged
@glatzert
Copy link
Collaborator

glatzert commented Jan 3, 2019
edited
Loading

Closing this, since #18 and #19 implement this by allowing to set a CertDN

@glatzert glatzert closed this Jan 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@casselc @glatzert