[Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP
Jan Cholasta
jcholast at redhat.com
Thu Jun 26 13:42:26 UTC 2014
On 25.6.2014 13:13, Jan Cholasta wrote:
> On 16.6.2014 22:36, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patches implement
>>>> <https://fedorahosted.org/freeipa/ticket/3259> and
>>>> <https://fedorahosted.org/freeipa/ticket/3520>.
>>>>
>>>> This work depends on my patches 241-253 and 262-266
>>>> (<http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html>).
>>>>
>>>>
>>>> Note that automatic distribution of CA certificates to IPA systems is
>>>> not implemented yet (it's planned for IPA 4.2, see
>>>> <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt,
>>>> /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are
>>>> updated
>>>> *only* during client/server install.
>>>
>>> 267
>>>
>>> What is the purpose of this change? Won't this cause no certificates to
>>> be exported in the default case?
>>>
>>> diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
>>> index 61a954f..3cd7a53 100644
>>> --- a/ipaserver/install/certs.py
>>> +++ b/ipaserver/install/certs.py
>>> @@ -463,7 +463,7 @@ class CertDB(object):
>>> do that step."""
>>> # export the CA cert for use with other apps
>>> ipautil.backup_file(self.cacert_fname)
>>> - root_nicknames = self.find_root_cert(nickname)
>>> + root_nicknames = self.find_root_cert(nickname)[:-1]
>>> fd = open(self.cacert_fname, "w")
>>> for root in root_nicknames:
>>> (cert, stderr, returncode) = self.run_certutil(["-L",
>>> "-n",
>>> root, "-a"])
>>>
>>> Or are you separating out issuing CA from the rest of the chain?
>
> find_root_cert() returns the certificate chain *including* the
> end-entity certificate. We want only CA certificates here. This is an
> error introduced in the CA-less rewrite.
>
>>>
>>> 268 ACK
>>>
>>> 269 ACK
>>>
>>> 270
>>>
>>> If a user has their own CA installed, such as the case where they used
>>> ipa-server-certinstall, this will break it.
>
> You can't install own CA with ipa-server-certinstall. I did not see
> anything break.
>
>>>
>>> What can be in the other set? Docs are needed.
>
> The "trusted" set is for trusted CA certs and the "other" set is for
> other CA certs. I will add a comment...
>
>>>
>>> You potentially add a bunch of certs with no trust, what is the purpose?
>
> "No trust" in this context means "trust only for issuing CA
> certificates". The certs are there for the sole purpose of forming the
> CA chain, so they don't need to be trusted for anything else.
>
>>>
>>> 271
>>>
>>> ipaSecretKey isn't mentioned on
>>> http://www.freeipa.org/page/V4/CA_certificate_renewal . What is it and
>>> does it need to be added now?
>
> This is the schema from
> <http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Encoded_key_data>.
> It is shared with DNSSEC. I will add a comment.
>
>>>
>>> 272 ACK
>>>
>>> 273 ACK
>>>
>>> 274 ACK
>>>
>>> 275 ACK
>>>
>>> 276
>>>
>>> There isn't any error handling around the ASN.1 decoder. Is that wise?
>
> Probably not, but it's consistent with the rest of the x509 module -
> none of its functions do error handling, it is up to the caller.
>
> BTW I have started refactoring x509 code, but didn't have time to
> finish. The new code will include error handling.
>
>>>
>>> There should be unit tests
>
> Yes.
>
>>>
>>> 277
>>>
>>> There should be unit tests
>
> Yes.
>
>>>
>>> 278
>>>
>>> When the certificate must be passed in as DER can you use dercert as the
>>> argument name so it's clear what is needed?
>
> OK.
>
>>>
>>> In update_ca_cert() and get_ca_certs() should the values for trust be
>>> case insensitive?
>
> It already is in update_ca_cert(), but get_ca_certs() does indeed need
> to be fixed.
>
>>>
>>> This breaks the convention where attribute names are always lower-case.
>
> I wasn't aware there is such a convention, especially so after seeing
> loads of mixed case attribute names all over IPA code.
>
> Anyway, I don't think it matters anymore, the new LDAP code has
> case-insensitive attribute names.
>
>>>
>>> I can't really grok add_ca_cert(). You are adding certs but removing
>>> values? Is this un-setting the list of trusted CA's maybe?
>
> It is unsetting ipaConfigString values from entries that should no
> longer have them. I will add a comment.
>
>>>
>>> There isn't a single comment in this file beyond the header.
>
> Sorry, will fix.
>
>>>
>>> 279
>>>
>>> Looks ok
>>>
>>> 280
>>>
>>> Why add the chain with no trust?
>
> See my comment for patch 270.
>
>>>
>>> 281 / 282
>>>
>>> What is the difference between add_cert and import_cert other than
>>> passing in trust and not having the db password? Do we even need
>>> add_single_pem_cert anymore?
>
> add_cert adds certificate by value, import_cert loads it from a file. We
> don't need add_single_pem_cert anymore.
>
>>>
>>> 283 / 284
>>>
>>> In __import_ca_certs() I assume the pass is there for NotFound for the
>>> case of creating a replica with an older master that doesn't have these?
>>> How is SSL trust setup then?
>
> It is for the case where there is no cn=certificates nor cn=CAcert. The
> trust is setup as usual, failed import does not affect it.
>
>>>
>>> This code looks awfully similar.
>
> Will fix.
>
>>>
>>> 285
>>>
>>> ACK
>>>
>>> 286
>>>
>>> It looks ok, just one wild thought. If writing the certificate fails and
>>> you go to clean up by removing ca_file, what if that removal fails, for
>>> the same reason the write failed, SELinux for example?
>
> Good point, will fix.
>
>>>
>>> 287
>>>
>>> If this weren't addressed in a later patch I've have dinged you on the:
>>>
>>> + return [cert]
>>>
>>> There are some places where you pluralize the variables (certs) and
>>> others where you do not (ca_cert, existing_ca_cert).
>
> Right, will fix.
>
>>>
>>> 288
>>>
>>> Is a rawcert a dercert? I'd use that name instead for consistency.
>
> It can be both DER or PEM, I used it for consistency with
> write_certificate().
>
>>>
>>> normalize_certificate() can raise exceptions. Those should be handled in
>>> write_certificate_list()
>
> Actually they should be handled by the caller, the same way as with
> write_certificate(). (See my comment for patch 276.)
>
>>>
>>> 289
>>>
>>> ACK
>>>
>>> 290
>>>
>>> This can be dangerous because if another database is opened in the
>>> process things may fail. Additional warnings and red flags should be
>>> provided, or the context should be compared to known places this will
>>> blow up (e.g server).
>
> This is used only in ipa-client-install (in patch 291) and it does not
> blow up.
>
>>>
>>> 291
>>>
>>> You use a temporary database to make cleanup easier I suppose? Did you
>>> test this in enforcing?
>
> Yes, it works fine.
>
>>>
>>> 292
>>>
>>> Need unit tests
>
> OK.
>
>>>
>>> 293
>>>
>>> Why the fixme for the x509 import?
>
> Because it's import from ipalib to ipapython.
>
>>>
>>> Isn't this changing already published API for
>>> [insert|remove]_ca_cert_into_systemwide_ca_store?
>
> Yes. I don't think this is a public API and it is changed in Tomáš's
> platform code refactoring anyway.
>
>>>
>>> 294
>>>
>>> Can you change the old occurances of
>>>
>>> cafile = config.dir + "/ca.crt"
>>>
>>> to use CACERT instead?
>
> No, config.dir is the directory where the replica info is unpacked, not
> "/etc/ipa".
>
>>>
>>> Bad case in exception, "Ca cert file is not available". Is there any
>>> additional information we can provide, like what to do about it and
>>> where we looked?
>
> Maybe. This code is cut-and-pasted from install_ca_cert(), I did not
> touch it otherwise.
>
>>>
>>> You actually remove one occurrence of CACERT and replace it with a
>>> hardcoded path, is that on purpose?
>
> Yes. Currently, the CA certificate from the replica info is copied
> directly to /etc/ipa/ca.crt, but I want to use it only for connecting to
> LDAP and use whatever is in there to create /etc/ipa/ca.crt.
>
>>>
>>> ---
>>>
>>> I still need to do functional testing and will probably take another
>>> pass the changes through but this patchset generally looks ok.
>>
>> Several issues found during testing:
>>
>> 1. Enrollment from RHEL-5 fails because the entire cert chain is not
>> retrieved, only the issuing CA cert.
>>
>> Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction. SSL certificate problem, verify that the CA cert is OK.
>> Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>> Installation failed. Rolling back changes.
>
> I couldn't reproduce this, I have the full certificate chain in
> http://<master>/ipa/config/ca.crt.
>
>>
>> 2. Not quite sure the cause, but this is on a replica:
>>
>> # ldapsearch -x -Z
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> ldap_start_tls: Operations error (1)
>> additional info: SSL connection already established.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=greyoak,dc=com> (default) with scope subtree
>> # filter: (objectclass=*)
>>
>> Same command on initial master doesn't spit out the p11-kit errors.
>>
>> Get similar errors out of certutil:
>>
>> # certutil -L -d /etc/httpd/alias
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>> p11-kit: invalid basic constraints certificate extension
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> GREYOAK.COM IPA CA CT,C,C
>> Server-Cert u,u,u
>> CN=External Authority ,,
>> ipaCert u,u,u
>>
>> Same version of p11-kit on both machines.
>>
>> p11-kit-trust-0.20.2-1.fc20.x86_64
>> p11-kit-0.20.2-1.fc20.x86_64
>
> This does not happen for me. I don't touch basic constraints anywhere in
> the code. Can I see the "CN=External Authority" certificate?
>
>>
>> 3. On uninstall the CA's are not removed from /etc/pki/nssdb and
>> /etc/httpd/alias in one of my tests (the first one, so I no longer have
>> the logs).
>
> Will fix.
>
>>
>> 4. This one isn't your issue AFAICT, not sure if you've seen this one:
>>
>> # ipa-ca-install ...
>>
>> [snip]
>>
>> 2014-06-16T18:07:44Z DEBUG stdout=Loading deployment configuration from
>> /tmp/tmprI2isq.
>>
>> 2014-06-16T18:07:44Z DEBUG stderr=Traceback (most recent call last):
>> File "/usr/sbin/pkispawn", line 530, in <module>
>> main(sys.argv)
>> File "/usr/sbin/pkispawn", line 439, in main
>> info = parser.sd_get_info()
>> File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
>> line 442, in sd_get_info
>> info = sd.getSecurityDomainInfo()
>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 40, in
>> getSecurityDomainInfo
>> info.name = j['DomainInfo']['@id']
>> KeyError: 'DomainInfo'
>>
>> 2014-06-16T18:07:44Z CRITICAL failed to configure ca instance Command
>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmprI2isq'' returned non-zero
>> exit status 1
>> 2014-06-16T18:07:44Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 639, in run_script
>> return_value = main_function()
>
> I haven't seen this one. Can it be reproduced?
>
>>
>> 5. This one may be for Tomas, but:
>>
>> 2014-06-16T19:01:28Z INFO Deleting schedule 2358-2359 0 from agreement
>> cn=meTogrindle.greyoak.com,cn=replica,cn=dc\=greyoak\,dc\=com,cn=mapping
>> tree,cn=config
>> 2014-06-16T19:01:29Z ERROR unable to convert the attribute
>> u'nsds5replicalastupdateend' value '0' to type <type 'datetime.datetime'>
>> 2014-06-16T19:01:29Z INFO Replication Update in progress: TRUE: status:
>> 0 Replica acquired successfully: Incremental update started: start: 0:
>> end: 0
>> 2014-06-16T19:01:30Z ERROR unable to convert the attribute
>> u'nsds5replicalastupdateend' value '0' to type <type 'datetime.datetime'>
>> 2014-06-16T19:01:30Z INFO Replication Update in progress: TRUE: status:
>> 0 Replica acquired successfully: Incremental update started: start: 0:
>> end: 0
>> 2014-06-16T19:01:31Z ERROR unable to convert the attribute
>> u'nsds5replicalastupdateend' value '0' to type <type 'datetime.datetime'>
>> 2014-06-16T19:01:31Z INFO Replication Update in progress: TRUE: status:
>> 0 Replica acquired successfully: Incremental update started: start: 0:
>> end: 0
>> 2014-06-16T19:01:32Z ERROR unable to convert the attribute
>> u'nsds5replicalastupdateend' value '0' to type <type 'datetime.datetime'>
>> 2014-06-16T19:01:32Z INFO Replication Update in progress: TRUE: status:
>> 0 Replica acquired successfully: Incremental update started: start: 0:
>> end: 0
>
> I believe this is <https://fedorahosted.org/freeipa/ticket/4350>.
>
>>
>> 6. With an external CA install of F-20 vanilla, upgraded to this patch,
>> the external CA is not added to /etc/pki/nssdb. On a pure install of
>> this patch, it is added. Not sure if we care since the cert is in the
>> global cert store.
>
> Yes, that's one of the effects of "automatic distribution to clients is
> not implemented yet".
>
>>
>> 7. Something for the future, but I wonder if test test_0002_find_CA in
>> ipatests/test_xmlrpc/test_cert_plugin.py should be able to handle
>> external CAs.
>>
>> rob
>>
>
>
Updated and rebased patches attached.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-267.1-Do-not-treat-the-IPA-RA-cert-as-CA-cert-in-DS-NSS-da.patch
Type: text/x-patch
Size: 3572 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-268.1-Remove-certificate-External-CA-cert-from-etc-pki-nss.patch
Type: text/x-patch
Size: 1511 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-269.1-Allow-specifying-trust-flags-in-NSSDatabase-and-Cert.patch
Type: text/x-patch
Size: 1986 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-270.1-Fix-trust-flags-in-HTTP-and-DS-NSS-databases.patch
Type: text/x-patch
Size: 9990 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-271.1-Add-LDAP-schema-for-wrapped-cryptographic-keys.patch
Type: text/x-patch
Size: 3709 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-272.1-Add-LDAP-schema-for-certificate-store.patch
Type: text/x-patch
Size: 3425 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-273.1-Add-container-for-certificate-store.patch
Type: text/x-patch
Size: 1852 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-274.1-Configure-attribute-uniqueness-for-certificate-store.patch
Type: text/x-patch
Size: 2379 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-275.1-Add-permissions-for-certificate-store.patch
Type: text/x-patch
Size: 13369 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-276.1-Add-functions-for-extracting-certificates-fields-in-.patch
Type: text/x-patch
Size: 3376 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-277.1-Add-function-for-extracting-extended-key-usage-from-.patch
Type: text/x-patch
Size: 1752 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-278.1-Add-certificate-store-module-ipalib.certstore.patch
Type: text/x-patch
Size: 14520 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-279.1-Upload-CA-chain-from-DS-NSS-database-to-certificate-.patch
Type: text/x-patch
Size: 3206 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-280.1-Upload-CA-chain-from-DS-NSS-database-to-certificate-.patch
Type: text/x-patch
Size: 3815 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-281.1-Rename-CertDB-method-add_cert-to-import_cert.patch
Type: text/x-patch
Size: 1684 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-282.1-Add-method-for-adding-certificates-by-value-to-NSSDa.patch
Type: text/x-patch
Size: 3420 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0015.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-283.1-Import-CA-certs-from-certificate-store-to-DS-NSS-dat.patch
Type: text/x-patch
Size: 3020 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0016.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-284.1-Import-CA-certs-from-certificate-store-to-HTTP-NSS-d.patch
Type: text/x-patch
Size: 1599 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0017.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-285.1-Upload-renewed-CA-cert-to-certificate-store-on-renew.patch
Type: text/x-patch
Size: 1616 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0018.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-286.1-Refactor-CA-certificate-fetching-code-in-ipa-client-.patch
Type: text/x-patch
Size: 7364 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0019.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-287.1-Support-multiple-CA-certificates-in-etc-ipa-ca.crt-i.patch
Type: text/x-patch
Size: 11021 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0020.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-288.1-Add-function-for-writing-list-of-certificates-to-a-P.patch
Type: text/x-patch
Size: 3612 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0021.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-289.1-Get-CA-certs-for-etc-ipa-ca.crt-from-certificate-sto.patch
Type: text/x-patch
Size: 4372 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0022.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-290.1-Allow-overriding-NSS-database-path-in-RPCClient.patch
Type: text/x-patch
Size: 1646 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0023.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-291.1-Get-CA-certs-for-etc-pki-nssdb-from-certificate-stor.patch
Type: text/x-patch
Size: 10851 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0024.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-292.1-Add-functions-for-DER-encoding-certificate-extension.patch
Type: text/x-patch
Size: 1790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0025.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-293.1-Get-CA-certs-for-system-wide-store-from-cert-store-i.patch
Type: text/x-patch
Size: 10193 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0026.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-294.1-Get-up-to-date-CA-certificates-from-certificate-stor.patch
Type: text/x-patch
Size: 3231 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140626/229d10e2/attachment-0027.bin>
More information about the Freeipa-devel
mailing list