Profiles - default, custom and command line about django-ca HOT 4 CLOSED

(note: edited original post to fix syntax highlighting)

from django-ca.

Hi,

I cannot quite reproduce some of the issues that you report here. You write:

• I can't disable the 'webserver' profile - possibly because that is the default profile
• I can't set the default profile to be be the 'client' profile (using CA_DEFAULT_PROFILE: client), I was hoping to set this as default and then disable the webserver profile

When I use this YAML file:

CA_DEFAULT_PROFILE: client
CA_PROFILES:
  webserver: null

I can successfully disable the webserver profile. This is evidenced by e.g. manage.py sign_ca -h no longer listing it in the section:

$ python manage.py sign_cert -h
...
profiles:
  Sign certificate based on the given profile. A profile only sets the the default values, options like --key-usage still override the profile.

  --client              A certificate for a client.
  --server              A certificate for a server, allows client and server authentication.
  --enduser             A certificate for an enduser, allows client authentication, code and email signing.
  --ocsp                A certificate for an OCSP responder.

However, I do see that just removing the webserver profile makes it unusable. I will add a check for that. In the meantime, the above setting will work just fine.

I am unable to select the client profile when using sign_cert from the command-line using the '--client' argument , it throws an error (see below). Using '--webserver' instead works however. Is the '--client' argument still supported?

The traceback seems to be due to the question you posted in #95 - see the answer there! I will also add a check to better catch this error.

Is it possible to select other profiles including custom ones from the command-line, or do all the settings that make up a profile, need to be passed individually instead?

Yes, that's possible - in fact it's the whole point of a profile! With the example I added here, sign_cert will show:

$ python manage.py sign_cert -h
profiles:
  Sign certificate based on the given profile. A profile only sets the the default values, options like --key-usage still override the profile.

  --client              A certificate for a client.
  --server              A certificate for a server, allows client and server authentication.
  --enduser             A certificate for an enduser, allows client authentication, code and email signing.
  --ocsp                A certificate for an OCSP responder.
  --new_profile         The description for the new profile

Please let me know if you have any further questions - or can't get some of this to work.

from django-ca.

I think that the problems I was experiencing using profiles were consequences of the syntax format issue I was struggling with (#95) and having resolved that by following the examples you provided, I can now disable unrequired profiles and create ones without any problem. Thank you again for all your help

from django-ca.

Hi @doubledipped ,

Glad I could help you and I hope you like django-ca!

I added a check for if you specify a default profile that does not exist (whether that's because you removed it or you just have a typo) to help the next person that stumbles over that. The changes will be included in the next version of django-ca.

kr, Mat

from django-ca.