[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Martin Kosek
mkosek at redhat.com
Fri Sep 27 08:14:03 UTC 2013
On 09/26/2013 04:46 PM, Jan Cholasta wrote:
> On 26.9.2013 12:59, Tomas Babej wrote:
>> On 09/26/2013 12:54 PM, Jan Cholasta wrote:
>>> On 24.9.2013 18:14, Nalin Dahyabhai wrote:
>>>> On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
>>>>> We discussed this with Tomáš off-line and it turns out that
>>>>> ipa-client-install fails if the CA cert is not added to
>>>>> /etc/pki/nssdb.
>>>>>
>>>>> However, according to p11-kit docs it should work:
>>>>> <http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
>>>>> wonder what needs to be done to make it work in IPA...
>>>>
>>>> On my system, there's no symlink to libnssckbi.so (or the right location
>>>> in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that
>>>> database isn't going to automatically pull in the list of trusted CAs
>>>> that p11-kit maintains.
>>>>
>>>> Whether the database under /etc/pki/nssdb should automatically include
>>>> the usual set of trust anchors is probably a different conversation.
>>>
>>> Thanks for the info.
>>>
>>> Tomáš, the patch is fine then. I have one more nitpick though: why did
>>> you change "the default NSS database" to "the NSS database"? The
>>> database in /etc/pki/nssdb *is* the default NSS database, so please
>>> change it back. Also I think "systemwide CA trust database" is better
>>> than "systemwide CA store".
>>>
>>> Honza
>>>
>> I fixed the descriptions. Updated patch attached.
>>
>> Tomas
>>
>
> Thanks.
>
> There's one more thing: we should probably check if /usr/bin/update-ca-trust
> exists before using it, for the sake of cross-distro compatibility.
>
Right. I am also thinking if this functionality should not be somehow
integrated into the platform files so that it can be overriden in platforms
that do not have the systemwide storage.
Martin
More information about the Freeipa-devel
mailing list