[Freeipa-devel] [PATCH] 269 external CA signing, abstract RA

[Rob Crittenden]

The RA plugin originally only supported dogtag. At some point I want to 
be able to do on-line replica creation and this means we need to be able 
to do remote cert requests. To support this I've abstracted the RA 
plugin and added basic self-signed CA support. To do this I had to move 
the CA private key from the DS NSS database to the Apache NSS database.

The bulk of the patch adds support for an externally-signed dogtag CA. 
This is a 2-step process. You run the IPA installer to create the CA 
instance and generate a CSR. You take this CSR to your primary CA and 
get it signed, then re-run the IPA installer and pass it this new cert. 
A lot of our cert functions assumed 1 cert-per-file. I had to remove 
that assumption and add in a sort of generic nickname generator. It 
assumes that the certs will be in some sort of order in the file. It 
doesn't really matter as long as the nicknames are unique.

A replica created with a self-signed CA will not be able to issue certs 
yet. I started this work by enhancing the file used to store the next 
serial number to also store the next serial number to be used by a 
replica. The idea is that we ship this to the replica then bump it up by 
some value so that all replicas are unique. I think we'll have to 
enforce that replicas can't create other replicas.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-269-external.patch
Type: application/mbox
Size: 93054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090910/2476b224/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090910/2476b224/attachment.bin>