[Freeipa-devel] [PATCH] conver ipa-server-setupssl to python
Rob Crittenden
rcritten at redhat.com
Fri Dec 7 14:18:38 UTC 2007
Karl MacMillan wrote:
> Convert the setup of ssl from a shell script to a
> python module. This is in preparation for user
> supplied certs.
>
>
A good start but there are a number of issues with this:
It shouldn't be assumed that all cert operations will be done using the
FDS cert database. For example, with the web server it uses a separate
database. Multiple servers should share the same cert database.
The -m flag sets the cert serial number. This needs to be unique for
each certificate issued by a CA. Probably need to store the last serial
# used in a file somewhere and increment with each new cert (with
locking, of course).
Would it make sense to move strings like "CA Certificate" into variables
(or arguments) so it is easier to change later?
I think the argument for certutil -v should be an argument or fixed
variable as well (this defines the number of months the cert is valid for).
I think we need to document what we are passing to the -1 and -5
certutil arguments (I'm glad you included it). They are:
-1 (Create key usage extension)
2 - Key encipherment
9 - done
n - not critical
-5 (Create netscape cert type extension)
1 - SSL Server
9 - done
n - not critical
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071207/c110e141/attachment.bin>
More information about the Freeipa-devel
mailing list