[Freeipa-devel] [RFE] CA-less install

Wed Mar 27 16:09:17 UTC 2013

Jan Cholasta wrote:
> On 27.3.2013 16:23, Petr Viktorin wrote:
>> On 03/27/2013 03:44 PM, Jan Cholasta wrote:
>>> I have gone through the whole discussion, RFE page and your patches, and
>>> I still don't see why --root-ca-file is necessary. Walking the
>>> certificate chain from the server cert up to the root CA is easy, so why
>>> not do that to determine the root CA? If the option is there just to
>>> ensure that the right certificate is used, I think it would be better to
>>> ask the user to confirm that during the installation process, or use
>>> --root-ca-subject or similar option to specify what certificate to use.
>>
>> Well, --root-ca-file specifies the root of trust, not necessarily the
>> selfsigned/unsigned CA at end of the trust chain.
>> Suppose you have a company-wide cert signed by a "globally" trusted CA,
>> but you're paranoid only want to trust the company cert, not a CA that
>> signs half the world's certificates. In that case walking up the chain
>> would select the wrong certificate.
>> Please correct me if my thinking is wrong.
>
> Makes sense, thanks. Can you please put this information in the RFE page?
>
>>
>> Yes, a --root-ca-subject would work too. I assumed the PEM file is
>> readily available.
>
> Well, I don't like how PEM file duplicates an unnecessary amount of
> information (the whole certificate). Also, copy-pasting subject might be
> faster than exporting certificate in PEM and uploading it to the server...

We're talking a one-time operation. I don't think it's asking too much. 
It also gives the user some amount of control rather than assuming that 
whatever tool their using to create the PKCS#12 file is also smart 
enough to include the right CAs.

>
>>
>>> We should do some validation of the PKCS#12 files and the certificates
>>> within them, as currently ipa-server-install will happily accept
>>> anything thrown at it. I think the minimum is to validate that the
>>> PKCS#12 file contains the whole certificate chain, the server key and
>>> only that, and that the server certificate has CN=<fqdn> (or
>>> CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
>>> don't do that, ipa-server-install might fail when it's too late to fix
>>> things.
>>
>> I don't want to check the subject because this RFE was prompted by IPA's
>> normal CA rejecting valid wildcart certs. Is there a reasonable way to
>> ask NSS if it will trust the cert? If there is I can put it in, but I
>> don't want to re-create the validation.
>
> I'm not sure TBH. Maybe someone with more NSS experience could answer this?

certutil -V -u V will do it.

I don't think it would be onerous to assure that either the FQDN is in 
the CN or it is a '*'. python-nss has fairly easy ways to grab the 
subject out of a cert for this comparison.

>>
>> The code checks for the whole cert chain, and that's there only one
>> server cert. Does that not work?
>
> Actually I didn't check this specifically. But, I used a server
> certificate with wrong subject and that made ipa-server-install fail.
>

One of the many cases that we will need to handle.

rob