[Freeipa-devel] [PATCH] 823 validate certificate subject base
Martin Kosek
mkosek at redhat.com
Wed Jul 13 08:16:02 UTC 2011
On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote:
> Use John's new DN class to verify that the subject base passed into
> ipa-server-install is valid.
>
> https://fedorahosted.org/freeipa/ticket/1176
>
> rob
Works fine for basic errors. But what if the DN is syntactically valid,
but it makes no sense for CA? For example:
# ipa-server-install --subject="FOO=BAR"
...
Configuring certificate server: Estimated time 6 minutes
[1/16]: creating certificate server user
[2/16]: creating pki-ca instance
[3/16]: restarting certificate server
[4/16]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
vm-099.idm.lab.bos.redhat.com -cs_port 9445
-client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX'
-preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin
-admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host
vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory
Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca
-key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
-backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR"
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR"
-ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR"
-ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR"
-ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external
false -clone false' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
Configuration of CA failed
Could we cover also these cases in the callback?
Martin
More information about the Freeipa-devel
mailing list