[Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs
Petr Vobornik
pvoborni at redhat.com
Fri Mar 29 17:17:08 UTC 2013
Hello,
attaching Web UI part.
Petr
On 03/18/2013 12:58 PM, Petr Viktorin wrote:
> Hello,
> While the work is not complete, these patches allowed me to install an
> IPA server without a CA, using PKCS#12 files for the server certs.
>
> The patches don't break normal installation.
> The --selfsign option (but not yet the code behind it) is removed.
>
> The absence of a CA is indicated by `enable_ra=False` in the IPA config.
>
> ipa-replica-install will still refuse to run; I'll look into that next.
>
> I removed some unused code that got in my way: Dogtag 9 installation (we
> can run a Dogtag 9-style CA, but we never *install* it), and
> ipapython.certdb.CertDB (unused, not to be confused with ipaserver's
> CertDB).
>
> I tried using python-nss, but unfortunately found that it's not yet
> usable here. John filed
> https://bugzilla.redhat.com/show_bug.cgi?id=922247 after our
> conversation. Parsing certutil output, while dirty, is more reliable in
> my limited experience.
> I added ipaserver.install.certs.NSSDatabase as a general-purpose wrapper
> around certdb operations. We have a CertDB class for it but that one is
> too tied to the current code paths: when I used it I found myself
> re-implementing a lot of methods to get rid of some assumption or other.
> The new NSSDatabase is not tied to IPA configuration.
>
>
> From what I've learned, PKCS#12 files are just a bag of certificates;
> there are basically no restrictions on their contents. But we assume
> there's only one cert inside that has a private key, and use that for
> the server cert. We also pretty much assume that there's one CA cert: if
> not we pick the first one and trust it as root CA.
> In short, I think --http_pkcs & friends are too vague for PKCS#12s we
> don't control; we should have the user name the certs more explicitly.
> Am I wrong here? Is this the usual way to import server certs?
>
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0274-Web-UI-Disable-cert-functionality-if-a-CA-is-not-ava.patch
Type: text/x-patch
Size: 4597 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/bb9f11c3/attachment.bin>
More information about the Freeipa-devel
mailing list