[Freeipa-devel] [PATCH] 340 Add OCSP and CRL URIs to certificates
Rob Crittenden
rcritten at redhat.com
Thu Dec 6 19:35:25 UTC 2012
Martin Kosek wrote:
> On 12/06/2012 04:48 PM, Martin Kosek wrote:
>> On 12/06/2012 04:45 PM, Martin Kosek wrote:
>>> Modify the default IPA CA certificate profile to include CRL and
>>> OCSP extensions which will add URIs to IPA CRL&OCSP to published
>>> certificates.
>>>
>>> Both CRL and OCSP extensions have 2 URIs, one pointing directly to
>>> the IPA CA which published the certificate and one to a new CNAME
>>> ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
>>> to all IPA replicas which have CA configured.
>>>
>>> The new CNAME is added either during new IPA server/replica/CA
>>> installation or during upgrade.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3074
>>> https://fedorahosted.org/freeipa/ticket/1431
>>>
>>> ----
>>>
>>> This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make
>>> things working as we want to :-)
>>>
>>> Martin
>>>
>>
>> I knew the subject is wrong the moment I clicked the Send button... Sending a
>> fixed patch.
>>
>> Martin
>
> Found a crash in ipa-replica-install, sending a fixed patch.
>
> Martin
It looks good. I tested with and without DNS, with and without CAs,
adding CAs, upgrades, no problems.
The only question I have is this effectively makes the CRL optional. If
it isn't found configured in the profile it won't add it in. Was that
intentional?
rob
More information about the Freeipa-devel
mailing list