[Freeipa-devel] [PATCH] 604 revoke certs when disabling and deleting hosts
Rob Crittenden
rcritten at redhat.com
Thu Nov 18 22:04:28 UTC 2010
Simo Sorce wrote:
> On Fri, 05 Nov 2010 15:20:27 -0400
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> When a host is deleted we revoke its certificate, if any.
>>
>> When a host keytab is disabled we disable all the keytabs and revoke
>> the certificates of its services.
>>
>> I've also tried to make it more universal to display certificate
>> details when viewing a record with a certificate in it.
>>
>> rob
>
> a. needs rebase (I did a rebase on my own, hopefully the next point was
> not because of that)
>
> b. after some fiddling and testing ipa host-disable seem to return a
> bogus error of: ipa: ERROR: no modifications to be performed
> and if tried again: ipa: ERROR: This entry is already disabled
>
> Possibly the first error was returned because the service I took a cert
> for (to test the cert was removed on disabling, which it was) didn;t
> have a keytab associated.
>
> So NACK on this error, but the general approach looks good.
>
> Simo.
>
Updated patch attached. Here is how to test it.
My IPA server is on host slinky.example.com. I'm doing these commands
from there.
# mkdir /etc/nsstmp
# certutil -N -d /etc/nsstmp (for simplicity do not set a password)
# ipa host-add puma.example.com
# ipa-getkeytab -s slinky -k /tmp/test.kt host/puma.example.com
# ipa-getcert request -d /etc/nss -n Server-Cert -N
"cn=puma.example.com,O=EXAMPLE.COM" -K host/puma.example.com at EXAMPLE.COM
Now run this until the cert is in the state MONITORING
# ipa-getcert list
Just to double check, look at the host, it should have a keytab and a cert:
# ipa host-show puma
Host name: puma.example.com
Certificate:
MIICkjCCAfugAwIBAgICBAUwDQYJKoZIhvcNAQEFBQAwLDEqMCgGA1UEAxMhR1JFWU9BSy5DT00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTExODIwNDExNloXDTE1MTExODIwNDExNlowMTEUMBIGA1UEChMLR1JFWU9BSy5DT00xGTAXBgNVBAMTEHB1bWEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjYEiiPC1AGFX4qbSFpHNkUyoZK60hXblw6OrAc5IGOZGgGGb/pOEMhWSZt45TzbZLExB9V73BON9wYvokkkwxVydPxx6ardEWdoAmz6gHYPK2B2GgUfKAbyu2vNJKuQ0RdVFwfKgPv7PbF9LJ2Glfb3dg7f90vCA67hP/wb5rGBkvkfk/Rw4O2lmFlxGxLkvHhVQn+LIdsqpO2bn47GYPSJqsj3bRzbK3WOKulyW99eD+QLP215SKvlh2oXh+I2qu2HgmbvuRdQcYqTU9dYltOmxybvuDllYRnhV2FWQ4U7NtPdKEOjazZJ/dOue/Ei2sAwpMyKkKH9HXUkTUhqi1AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAQdXfmoHJ33h8JfY4t/vYgT8p99bSwLrOuwsSzy1tw5p/cZ3VXDkrLPDzHSnZTycTRRqrtsqMQt3v+NQdV/OjC2ALAfZnVM/JymWMwk9ub90N4O2x8nY18eCNxSmSaPbfhelsx2JeHg8jLXeiBN722rr2iWgcQ87sBejLYJhO/Bc=
Principal name: host/puma.example.com at EXAMPLE.COM
Keytab: True
Managed by: puma.example.com
Subject: CN=puma.example.com,O=EXAMPLE.COM
Serial Number: 1029
Issuer: CN=EXAMPLE.COM Certificate Authority
Not Before: Thu Nov 18 20:41:16 2010 UTC
Not After: Wed Nov 18 20:41:16 2015 UTC
Fingerprint (MD5): 2a:f5:47:88:62:93:7f:87:2e:c5:d6:9a:11:df:b3:9d
Fingerprint (SHA1):
a0:4a:b2:2a:fc:f9:0f:cc:e7:18:30:29:7e:f6:63:75:8a:8d:45:12
Finally we're ready to test if disabling the host revokes/removes the
cert too:
# ipa host-disable puma
---------------------------------------------------------
Removed kerberos key and disabled all services for "puma"
---------------------------------------------------------
Verify that the host is disabled and its cert is gone:
# ipa host-show puma
Host name: puma.example.com
Principal name: host/puma.example.com at EXAMPLE.COM
Keytab: False
Managed by: puma.example.com
Note that I'm allowing admin to write enrolledBy again. I need to find a
better way to handle the attribute but lets clear it without errors for now.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-604-2-host.patch
Type: text/x-patch
Size: 26450 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101118/22491729/attachment.bin>
More information about the Freeipa-devel
mailing list