[Freeipa-devel] [RFE] CA-less install

Jan Cholasta jcholast at redhat.com
Wed Mar 27 15:40:23 UTC 2013


On 27.3.2013 16:23, Petr Viktorin wrote:
> On 03/27/2013 03:44 PM, Jan Cholasta wrote:
>> I have gone through the whole discussion, RFE page and your patches, and
>> I still don't see why --root-ca-file is necessary. Walking the
>> certificate chain from the server cert up to the root CA is easy, so why
>> not do that to determine the root CA? If the option is there just to
>> ensure that the right certificate is used, I think it would be better to
>> ask the user to confirm that during the installation process, or use
>> --root-ca-subject or similar option to specify what certificate to use.
>
> Well, --root-ca-file specifies the root of trust, not necessarily the
> selfsigned/unsigned CA at end of the trust chain.
> Suppose you have a company-wide cert signed by a "globally" trusted CA,
> but you're paranoid only want to trust the company cert, not a CA that
> signs half the world's certificates. In that case walking up the chain
> would select the wrong certificate.
> Please correct me if my thinking is wrong.

Makes sense, thanks. Can you please put this information in the RFE page?

>
> Yes, a --root-ca-subject would work too. I assumed the PEM file is
> readily available.

Well, I don't like how PEM file duplicates an unnecessary amount of 
information (the whole certificate). Also, copy-pasting subject might be 
faster than exporting certificate in PEM and uploading it to the server...

>
>> We should do some validation of the PKCS#12 files and the certificates
>> within them, as currently ipa-server-install will happily accept
>> anything thrown at it. I think the minimum is to validate that the
>> PKCS#12 file contains the whole certificate chain, the server key and
>> only that, and that the server certificate has CN=<fqdn> (or
>> CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
>> don't do that, ipa-server-install might fail when it's too late to fix
>> things.
>
> I don't want to check the subject because this RFE was prompted by IPA's
> normal CA rejecting valid wildcart certs. Is there a reasonable way to
> ask NSS if it will trust the cert? If there is I can put it in, but I
> don't want to re-create the validation.

I'm not sure TBH. Maybe someone with more NSS experience could answer this?

>
> The code checks for the whole cert chain, and that's there only one
> server cert. Does that not work?

Actually I didn't check this specifically. But, I used a server 
certificate with wrong subject and that made ipa-server-install fail.

-- 
Jan Cholasta




More information about the Freeipa-devel mailing list