[Freeipa-devel] [PATCH] 269 external CA signing, abstract RA
Rob Crittenden
rcritten at redhat.com
Tue Sep 15 14:01:24 UTC 2009
Pavel Zuna wrote:
> Rob Crittenden wrote:
>> The RA plugin originally only supported dogtag. At some point I want
>> to be able to do on-line replica creation and this means we need to be
>> able to do remote cert requests. To support this I've abstracted the
>> RA plugin and added basic self-signed CA support. To do this I had to
>> move the CA private key from the DS NSS database to the Apache NSS
>> database.
>>
>> The bulk of the patch adds support for an externally-signed dogtag CA.
>> This is a 2-step process. You run the IPA installer to create the CA
>> instance and generate a CSR. You take this CSR to your primary CA and
>> get it signed, then re-run the IPA installer and pass it this new
>> cert. A lot of our cert functions assumed 1 cert-per-file. I had to
>> remove that assumption and add in a sort of generic nickname
>> generator. It assumes that the certs will be in some sort of order in
>> the file. It doesn't really matter as long as the nicknames are unique.
>>
>> A replica created with a self-signed CA will not be able to issue
>> certs yet. I started this work by enhancing the file used to store the
>> next serial number to also store the next serial number to be used by
>> a replica. The idea is that we ship this to the replica then bump it
>> up by some value so that all replicas are unique. I think we'll have
>> to enforce that replicas can't create other replicas.
>>
>> rob
>>
> I didn't do extensive functionality tests, but the code looks really
> fine. I think we should push this. If something doesn't work exactly the
> way expected, we can always patch it later. ack.
>
> This patch makes some changes to the service plugin that aren't
> compatible with my latest service plugin patch (Make the service plugin
> use baseldap classes.) Since this is probably going to get pushed first,
> I already made a replacement patch that merges changes from both. It's
> attached.
>
> Pavel
Pushed to master.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090915/4dc4dc0d/attachment.bin>
More information about the Freeipa-devel
mailing list