[Freeipa-devel] [RFE] CA-less install

Petr Viktorin pviktori at redhat.com
Wed Mar 27 15:23:49 UTC 2013 

On 03/27/2013 03:44 PM, Jan Cholasta wrote:
> Hi,
>
> On 22.3.2013 13:10, Petr Viktorin wrote:
>> The design page for CA-less installation with user-provided SSL certs is
>> available at http://freeipa.org/page/V3/CA-less_install. I've also
>> copied it to this mail.
>>
>> Does it answer all your questions?
>>
>
> I have gone through the whole discussion, RFE page and your patches, and
> I still don't see why --root-ca-file is necessary. Walking the
> certificate chain from the server cert up to the root CA is easy, so why
> not do that to determine the root CA? If the option is there just to
> ensure that the right certificate is used, I think it would be better to
> ask the user to confirm that during the installation process, or use
> --root-ca-subject or similar option to specify what certificate to use.

Well, --root-ca-file specifies the root of trust, not necessarily the 
selfsigned/unsigned CA at end of the trust chain.
Suppose you have a company-wide cert signed by a "globally" trusted CA, 
but you're paranoid only want to trust the company cert, not a CA that 
signs half the world's certificates. In that case walking up the chain 
would select the wrong certificate.
Please correct me if my thinking is wrong.

Yes, a --root-ca-subject would work too. I assumed the PEM file is 
readily available.

> We should do some validation of the PKCS#12 files and the certificates
> within them, as currently ipa-server-install will happily accept
> anything thrown at it. I think the minimum is to validate that the
> PKCS#12 file contains the whole certificate chain, the server key and
> only that, and that the server certificate has CN=<fqdn> (or
> CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
> don't do that, ipa-server-install might fail when it's too late to fix
> things.

I don't want to check the subject because this RFE was prompted by IPA's 
normal CA rejecting valid wildcart certs. Is there a reasonable way to 
ask NSS if it will trust the cert? If there is I can put it in, but I 
don't want to re-create the validation.

The code checks for the whole cert chain, and that's there only one 
server cert. Does that not work?

> Also, the RFE page states that the options to specify PKCS#12 files are
> called --http_pkcs and --dirsrv_pkcs, but they are in fact called
> --http_pkcs12 and --dirsrv_pkcs12.

Fixed, thanks.


-- 
Petr³

More information about the Freeipa-devel mailing list