[Freeipa-devel] [PATCH] 269 external CA signing, abstract RA

Rob Crittenden rcritten at redhat.com
Tue Sep 15 14:01:24 UTC 2009 

Pavel Zuna wrote:
> Rob Crittenden wrote:
>> The RA plugin originally only supported dogtag. At some point I want 
>> to be able to do on-line replica creation and this means we need to be 
>> able to do remote cert requests. To support this I've abstracted the 
>> RA plugin and added basic self-signed CA support. To do this I had to 
>> move the CA private key from the DS NSS database to the Apache NSS 
>> database.
>>
>> The bulk of the patch adds support for an externally-signed dogtag CA. 
>> This is a 2-step process. You run the IPA installer to create the CA 
>> instance and generate a CSR. You take this CSR to your primary CA and 
>> get it signed, then re-run the IPA installer and pass it this new 
>> cert. A lot of our cert functions assumed 1 cert-per-file. I had to 
>> remove that assumption and add in a sort of generic nickname 
>> generator. It assumes that the certs will be in some sort of order in 
>> the file. It doesn't really matter as long as the nicknames are unique.
>>
>> A replica created with a self-signed CA will not be able to issue 
>> certs yet. I started this work by enhancing the file used to store the 
>> next serial number to also store the next serial number to be used by 
>> a replica. The idea is that we ship this to the replica then bump it 
>> up by some value so that all replicas are unique. I think we'll have 
>> to enforce that replicas can't create other replicas.
>>
>> rob
>>
> I didn't do extensive functionality tests, but the code looks really 
> fine. I think we should push this. If something doesn't work exactly the 
> way expected, we can always patch it later. ack.
> 
> This patch makes some changes to the service plugin that aren't 
> compatible with my latest service plugin patch (Make the service plugin 
> use baseldap classes.) Since this is probably going to get pushed first, 
> I already made a replacement patch that merges changes from both. It's 
> attached.
> 
> Pavel

Pushed to master.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090915/4dc4dc0d/attachment.bin>

More information about the Freeipa-devel mailing list