[Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
Petr Viktorin
pviktori at redhat.com
Tue Jul 24 11:03:50 UTC 2012
On 07/23/2012 10:03 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Andrew Wnuk wrote:
>>> On 07/16/2012 01:35 PM, Rob Crittenden wrote:
>>>> Nalin Dahyabhai wrote:
>>>>> On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote:
>>>>>> Use the new certmonger capability to be able to renew the dogtag
>>>>>> subsystem certificates (audit, OCSP, etc).
>>>>>
>>>>> Are the copies of the certificates in the pki-ca CS.cfg file being
>>>>> updated elsewhere? Or is it not turning out to be a problem if they
>>>>> aren't?
>>>>
>>>> I didn't test validating OCSP signatures but the audit subsystem
>>>> seemed fine (it complained wildly when I had the wrong trust in the
>>>> NSS db).
>>>>
>>>> Andrew, do I need to update CS.cfg as well?
>>>>
>>> Yes, you may need update CS.cfg too.
>>
>> Ok, added a bit to update CS.cfg with the new certificate.
>
> This should fix some SELinux issues preventing certmonger from
> monitoring the dogtag certificate database in /var/lib/pki-ca/alias.
>
> rob
I don't know enough about dogtag/certmonger to comment on the
functionality, but there are minor issues I can find. Attaching a patch
to fix them.
`make rpms` fails:
rpmbuild --define "_topdir /rpmbuild" -ba freeipa.spec
error: %changelog not in descending chronological order
make: *** [rpms] Error 1
`git am` complains:
Applying: Use certmonger to renew CA subsystem certificates
/home/pviktori/freeipa/.git/rebase-apply/patch:576: new blank line at EOF.
+
/home/pviktori/freeipa/.git/rebase-apply/patch:645: new blank line at EOF.
+
warning: 2 lines add whitespace errors.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fixes-for-rcrit-1033-03.patch
Type: text/x-patch
Size: 1961 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120724/ef6d9351/attachment.bin>
More information about the Freeipa-devel
mailing list