[Freeipa-devel] [PATCH] Select a server with a CA on it when submitting signing requests.
Rob Crittenden
rcritten at redhat.com
Tue Jun 14 21:03:42 UTC 2011
Nalin Dahyabhai wrote:
> This is a stab at fixing #1252 - teaching the RA to handle cases where
> the local server isn't a CA.
>
> When the RA is about to submit a signing request to a CA, it currently
> assumes that the CA is colocated. This modifies its behavior so that
> the first time it needs to submit a signing request, it:
>
> 1. Checks if the configured ca_host is actually a CA. If it is, use it.
> 2. Checks if the local host (if it's not also the configured ca_host)
> is a CA. If it is, use it.
> 3. Checks if there are any CAs in the domain. If there are, select one
> of them at random and use it.
> 4. Give up, behave as before, and let the error we previously would
> have gotten for trying to submit a signing request to a non-CA happen.
>
> Nalin
Ack, pushed to master.
rob
More information about the Freeipa-devel
mailing list