[Freeipa-devel] [PATCH] First pass at CA installer
Rob Crittenden
rcritten at redhat.com
Fri Apr 3 18:08:36 UTC 2009
Jason Gerard DeRose wrote:
> On Wed, 2009-04-01 at 23:22 -0400, Rob Crittenden wrote:
>> Implement an installer for the Dogtag certificate system.
>>
>> The CA is currently not automatically installed. You have to pass in the
>> --ca flag to install it.
>>
>> What works:
>> - installation
>> - unistallation
>> - cert/ra plugins can issue and retrieve server certs
>>
>> What doesn't work:
>> - self-signed CA is still created and issues Apache and DS certs
>> - dogtag and python-nss not in rpm requires
>> - requires that CS be in the "pre" install state from pkicreate
>>
>> So basically after doing this you have 2 CAs. The old self-signed CA
>> from IPA v1 and a new dogtag-based CA. This new CA is used by the
>> cert/ra plugins. My next step is to replace the self-signed CA.
>>
>> I'm also doing all my testing of dogtag using the SVN tip. A number of
>> important but fixes are there.
>>
>> This also adds a python-nss based httplib library. Also on my list of
>> things to do is to drop the fork calls to sslget. They aren't very
>> efficient and they make SELinux cry.
>>
>> rob
>
> ack. I don't understand all of the installer details, but everything
> looks reasonable to me, doesn't seam to break anything.
>
> Thanks for fixing the ra.sec_dir path when running in the server.
>
pushed to master
More information about the Freeipa-devel
mailing list