[Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs
Jan Cholasta
jcholast at redhat.com
Tue Apr 2 08:48:46 UTC 2013
On 29.3.2013 15:31, Petr Viktorin wrote:
> On 03/29/2013 11:20 AM, Jan Cholasta wrote:
>> On 29.3.2013 11:14, Jan Cholasta wrote:
>>> Also I was able to install IPA with revoked certificates, but it doesn't
>>> seem to break anything - the CRL specified in the certificates' CRL
>>> distribution point is not automatically imported into any of the NSS
>>> databases and when it is imported manually, everything still seems to
>>> work fine. I haven't checked OCSP. Can and/or do we want to do something
>>> about this?
>>
>> Update: the ipa command does not work:
>>
>> $ ipa host-show $HOSTNAME --all --raw
>> ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example"
>> ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
>> ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
>> -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
>> revoked.
>
> I think we can live with not checking CRLs now. I haven't found a way to
> download CRLs with certutil or python-nss (short of explicitly examining
> the certs, downloading the CRL and importing it, but I don't think IPA
> is the place for that).
> I've asked John.
OK, thanks.
>
>>> Patch 205:
>>>
>>> Can we instead require the PKCS#12 files to always contain the whole
>>> certificate chain? IMO that way it would be more obvious what should
>>> actually be in the files and it would make things easier should there
>>> ever be need for --root-ca-subject.
>
> Not requiring the root CA is a convenient shortcut. It's common to have
> certs signed directly by the CA, and in this case you can use either a
> single-cert PKCS#12 or one with the full chain.
> Actually, originally the full chain was required, and a user already
> complained :)
>
> If we add a new option, we can specify its requirements on the other
> options.
No problem.
>
> Adding a new patch for client installation.
>
This is nothing critical, but I think that make-testcert should check if
dogtag is installed and when it's not, print a message informing the
user that they should issue the test certificate manually and place it
in the appropriate location.
Besides that, ACK.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list