[Freeipa-devel] [PATCH] 269 external CA signing, abstract RA

Pavel Zuna pzuna at redhat.com
Tue Sep 15 11:25:25 UTC 2009


Rob Crittenden wrote:
> The RA plugin originally only supported dogtag. At some point I want to 
> be able to do on-line replica creation and this means we need to be able 
> to do remote cert requests. To support this I've abstracted the RA 
> plugin and added basic self-signed CA support. To do this I had to move 
> the CA private key from the DS NSS database to the Apache NSS database.
> 
> The bulk of the patch adds support for an externally-signed dogtag CA. 
> This is a 2-step process. You run the IPA installer to create the CA 
> instance and generate a CSR. You take this CSR to your primary CA and 
> get it signed, then re-run the IPA installer and pass it this new cert. 
> A lot of our cert functions assumed 1 cert-per-file. I had to remove 
> that assumption and add in a sort of generic nickname generator. It 
> assumes that the certs will be in some sort of order in the file. It 
> doesn't really matter as long as the nicknames are unique.
> 
> A replica created with a self-signed CA will not be able to issue certs 
> yet. I started this work by enhancing the file used to store the next 
> serial number to also store the next serial number to be used by a 
> replica. The idea is that we ship this to the replica then bump it up by 
> some value so that all replicas are unique. I think we'll have to 
> enforce that replicas can't create other replicas.
> 
> rob
> 
I didn't do extensive functionality tests, but the code looks really fine. I 
think we should push this. If something doesn't work exactly the way expected, 
we can always patch it later. ack.

This patch makes some changes to the service plugin that aren't compatible with 
my latest service plugin patch (Make the service plugin use baseldap classes.) 
Since this is probably going to get pushed first, I already made a replacement 
patch that merges changes from both. It's attached.

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-the-service-plugin-use-baseldap-classes.patch
Type: application/mbox
Size: 12808 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090915/80191c3e/attachment.mbox>


More information about the Freeipa-devel mailing list