When working on customer projects that use statedump, on regular basis we need to be able to support multiple environments.
Currently the only rational way to do this is by having multiple statedumps, per environment.
This can, however, lead to a lot of problems in terms of integrity and consistency. In case we need to update something across all three environments, we need to do this in multiple statedumps.
It would be nice if we could have a single (set of) statedump(s), and have an option in the statedump tool to override certains fields.
For example, in case of CAs it would be nice to be able to provide prefix for the subject DN's CN, in case of some certificate profiles we may want to be able to slightly modify certain values (say, policy text). In case of end entities we may want to be able to change the FQDNs/hostnames etc.
In case of CAs we also may want to be able to change the default OCSP location or CRL URI.
In general, some form of overrides would be needed for:
- Naming of end entities/CAs.
- Anything DNS-related.
The statedump could provide a couple of options providing ability to:
- Do regex replacements (this might be the most generic).
- Do prefixing (this could be considered as a special-case regex replacement).
- We would need the ability to specify what fields etc are getting changed.