[Freeipa-devel] [RFC] certificate utilities for freeipa

Karl MacMillan kmacmill at redhat.com
Fri Dec 7 19:37:11 UTC 2007 

I'm working on a tool to simplify management of user provided certs for
IPA (partial version attached). Let me give some background on what I
think we are trying to accomplish and then ask for some specific input.

When we bootstrap an IPA server we generate a set of certs for the
directory server instance and web server from a CA cert we generate
during installation. This is to give users a working installation, but
our assumption is that many (hopefully all) users will then want to
install certs generated from a public certificate authority or from an
existing internal CA.

I'm trying to make this process easier for them. The tool I have accepts
a certificate in pkcs#12, creates a new NSS db, and imports the cert. So
something like:

ipa-server-certinstall --dirsrv mycert.p12

[This must be run on the server]

The main value here is that it is a single step and they don't need to
know anything about where the certs are installed (or muck with apache
or ds config since we did that during installation).

Questions:

1) Does this overall workflow make sense? Will it work with certs
provided by most large CAs?

2) Is the value provided really enough, or should we just document how
to use the native tools (my thought is we should provide this tool, but
I thought I would ask).

3) The pkcs#12 files I export from an NSS database seem to pull in the
whole chain (so it includes the CA cert). Is this typical? Can I
therefore have the utility only accept a single pkcs12 file?

4) After import the CA cert has different trust flags than in the
original NSS db (not certain if the change is at export or import). Any
way to control this? The main problem is that I can't use certutil -M
after the fact because I don't know the name of the CA cert (or certs)
without parsing the pkcs#12 file.

5) How should I handle pin files?

6) What about cert nicknames - we assume Server-Cert right now for both
the directory server and apache. I'm not even clear on how that nickname
is set in the pkcs#12 file when it originates from something other than
a pk12util export for an NSS db.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-certs.patch
Type: text/x-patch
Size: 3827 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071207/d8ea597b/attachment.bin>

More information about the Freeipa-devel mailing list