[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta jcholast at redhat.com
Wed Jul 23 12:26:42 UTC 2014 

On 22.7.2014 15:21, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 2.7.2014 19:37, Jan Cholasta wrote:
>>>> On 2.7.2014 19:08, Rob Crittenden wrote:
>>>>> Trimming to respond to your questions.
>>>>>>> Not sure if this is related:
>>>>>>> # pki cert-find
>>>>>>> PKIException: Internal Server Error
>>>>>
>>>>> I'm pretty sure the cert-find error is related to the fact that I had a
>>>>> test build of dogtag installed, so that can be ignored.
>>>>
>>>> It does not work for me as well, with the current F20 dogtag packages,
>>>> but like I said, it worked some time ago.
>>>
>>> Still haven't figured this out, unfortunately.

Fixed. Part of the problem was that the validation code I used on CA 
certificates was too tolerant (fixed in patches 249 and 251). Another 
part was the NSS validation code that Dogtag uses requires the issuing 
CA to be present in the NSS database (fixed in patch 306). Finally, 
Dogtag uses default NSS certificate path validation, which means you 
have to either keep all versions of the CA certificate in the NSS 
database, or enable PKIX path validation in NSS. Certmonger does not 
like having multiple versions of a certificate it is tracking in the 
database, so I have gone the PKIX route (patch 307).

>>>
>>> Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
>>> certificates on master.
>>>
>>> Updated rebased patches attached. The correct order to apply is 295-294,
>>> 303-305, 295-299.
>>>
>>
>> 251 I'm a little confused about the profile names. I see you changed the
>> renewal profile from ipaCACertRenewal to caCACert which I guess makes
>> sense. I don't see a ipaCACertRenewal profile. There is still a
>> reference to a ipaRetrieval profile, what is that?

Oops, I forgot to mention that, I guess I shouldn't post patches at such 
late hour :) Sorry.

ipaCACertRenewal should be used only for automatic renewal, not for 
manual. It calls caCACert and ipaRetrieval internally, but there are 
some conditions, which don't apply to manual renewal. It's a change I 
forgot to make before, so I made it now when I noticed it. ipaRetrieval 
fetches the certificate from cn=ca_renewal, i.e. what 
dogtag-ipa-retrieve-agent-submit used to do.

>>
>> ACK to the changes in 291
>>
>> 299 I guess you added the check for existing certs to avoid conflicts? I
>> guess it means that a user is hosed if they chose the same name for
>> their CA that we use? I think you're missing a sys.exit(1) here.

Yes. It is a poor man's solution, but it would take time to make 
something better. (I can deal with nickname conflicts rather easy by 
renaming the certificates, but handling subject conflict would require 
removing the old certificate from the certificate store, which is not 
yet supported.)

Fixed missing exit.

>>
>> 303 Looks good. The man page is still a little thin
>>
>> 304 Not to be too pedantic but if removing the old CACERT fails
>> (SELinux, immutable file) then the install will blow up and this is the
>> very end. I think the removal should happen earlier, before anything
>> else happens. That way at least you don't wait 10 minuts to find out the
>> install failed.

I switched to overwriting the file instead. It is created/written a few 
lines above, so if it shall fail, it will fail there.

>>
>> 305 ACK
>>
>> I didn't have a ton of time to test but a basic install fails with:
>>
>> 2014-07-03T21:44:49Z DEBUG stderr=
>> 2014-07-03T21:44:49Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 640, in run_script
>>      return_value = main_function()
>>
>>    File "/usr/sbin/ipa-server-install", line 1046, in main
>>      dm_password, subject_base=options.subject)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 489, in configure_instance
>>      self.start_creation(runtime=210)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>>      method()
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1041, in __import_ca_chain
>>      (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 79, in get_cert_nickname
>>      nsscert = x509.load_certificate(cert)
>>
>>    File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
>> load_certificate
>>      return nss.Certificate(buffer(data))
>>
>> 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
>> exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
>> attempting to import a cert with the same issuer/serial as an existing
>> cert, but that is not the same cert.
>
> I haven't gotten much further than this. I spent some time trying to
> find the a change that would cause it and came up empty. Once this bug
> shows, it always shows, but it can go away at times too which is just
> blowing my little mind.
>
> For example, I tried rolling the patches back one at a time (revert,
> build, install, repeat). It failed even back to the point where I knew
> things should be working. I installed 3.3.5, then tried the current
> build, which had failed before, and it worked. So there is some odd
> transient thing going on that I can't wrap my head around.

I have not yet seen this failure myself.

It looks like NSS internally imports the certificate, which conflicts 
with the database NSS is initialized with. Perhaps a well placed 
nss_shutdown() might fix this? Maybe using NSS contexts instead of 
global initialization could help.

>
> rob
>

I have taken your advice and don't touch trust flags on unknown CA certs 
on upgrades anymore. I have also made a number of little tweaks.

Updated rebased patches attached.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-241.7-Add-function-for-checking-if-certificate-is-self-sig.patch
Type: text/x-patch
Size: 895 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-242.7-Support-CA-certificate-renewal-in-dogtag-ipa-ca-rene.patch
Type: text/x-patch
Size: 3126 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-243.7-Allow-IPA-master-hosts-to-update-CA-certificate-in-L.patch
Type: text/x-patch
Size: 1077 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-244.7-Automatically-update-CA-certificate-in-LDAP-on-renew.patch
Type: text/x-patch
Size: 2383 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-245.7-Track-CA-certificate-using-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 5097 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-246.7-Add-method-for-setting-CA-renewal-master-in-LDAP-to-.patch
Type: text/x-patch
Size: 2471 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-247.7-Provide-additional-functions-to-ipapython.certmonger.patch
Type: text/x-patch
Size: 2097 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-248.7-Move-external-cert-validation-from-ipa-server-instal.patch
Type: text/x-patch
Size: 5954 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-249.7-Add-method-for-verifying-CA-certificates-to-NSSDatab.patch
Type: text/x-patch
Size: 1824 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-250.7-Add-permissions-for-CA-certificate-renewal.patch
Type: text/x-patch
Size: 3887 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-251.7-Add-CA-certificate-management-tool-ipa-cacert-manage.patch
Type: text/x-patch
Size: 17294 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-252.7-Alert-user-when-externally-signed-CA-is-about-to-exp.patch
Type: text/x-patch
Size: 1670 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-253.7-Load-sysupgrade.state-on-demand.patch
Type: text/x-patch
Size: 1341 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-262.6-Pick-new-CA-renewal-master-when-deleting-a-replica.patch
Type: text/x-patch
Size: 3778 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-263.5-Remove-master-ACIs-when-deleting-a-replica.patch
Type: text/x-patch
Size: 2614 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-264.5-Do-not-use-ldapi-in-certificate-renewal-scripts.patch
Type: text/x-patch
Size: 12315 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0015.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-265.5-Check-that-renewed-certificates-coming-from-LDAP-are.patch
Type: text/x-patch
Size: 2898 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0016.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-266.4-Allow-IPA-master-hosts-to-read-and-update-IPA-master.patch
Type: text/x-patch
Size: 3191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0017.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-267.4-Do-not-treat-the-IPA-RA-cert-as-CA-cert-in-DS-NSS-da.patch
Type: text/x-patch
Size: 3574 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0018.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-268.4-Remove-certificate-External-CA-cert-from-etc-pki-nss.patch
Type: text/x-patch
Size: 1511 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0019.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-269.4-Allow-specifying-trust-flags-in-NSSDatabase-and-Cert.patch
Type: text/x-patch
Size: 1986 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0020.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-270.4-Fix-trust-flags-in-HTTP-and-DS-NSS-databases.patch
Type: text/x-patch
Size: 8975 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0021.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-271.4-Add-LDAP-schema-for-wrapped-cryptographic-keys.patch
Type: text/x-patch
Size: 3979 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0022.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-272.4-Add-LDAP-schema-for-certificate-store.patch
Type: text/x-patch
Size: 3439 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0023.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-273.4-Add-container-for-certificate-store.patch
Type: text/x-patch
Size: 1852 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0024.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-274.4-Configure-attribute-uniqueness-for-certificate-store.patch
Type: text/x-patch
Size: 2379 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0025.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-275.4-Add-permissions-for-certificate-store.patch
Type: text/x-patch
Size: 12821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0026.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-276.4-Add-functions-for-extracting-certificates-fields-in-.patch
Type: text/x-patch
Size: 3376 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0027.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-277.4-Add-function-for-extracting-extended-key-usage-from-.patch
Type: text/x-patch
Size: 1752 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0028.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-278.4-Add-certificate-store-module-ipalib.certstore.patch
Type: text/x-patch
Size: 15471 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0029.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-279.4-Upload-CA-chain-from-DS-NSS-database-to-certificate-.patch
Type: text/x-patch
Size: 3206 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0030.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-280.4-Upload-CA-chain-from-DS-NSS-database-to-certificate-.patch
Type: text/x-patch
Size: 4282 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0031.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-281.4-Rename-CertDB-method-add_cert-to-import_cert.patch
Type: text/x-patch
Size: 1684 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0032.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-282.4-Add-new-add_cert-method-for-adding-certificates-to-N.patch
Type: text/x-patch
Size: 3843 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0033.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-283.4-Import-CA-certs-from-certificate-store-to-DS-NSS-dat.patch
Type: text/x-patch
Size: 3020 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0034.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-284.4-Import-CA-certs-from-certificate-store-to-HTTP-NSS-d.patch
Type: text/x-patch
Size: 1599 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0035.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-285.4-Upload-renewed-CA-cert-to-certificate-store-on-renew.patch
Type: text/x-patch
Size: 1674 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0036.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-286.4-Refactor-CA-certificate-fetching-code-in-ipa-client-.patch
Type: text/x-patch
Size: 7364 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0037.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-287.4-Support-multiple-CA-certificates-in-etc-ipa-ca.crt-i.patch
Type: text/x-patch
Size: 11021 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0038.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-288.4-Add-function-for-writing-list-of-certificates-to-a-P.patch
Type: text/x-patch
Size: 4357 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0039.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-289.4-Get-CA-certs-for-etc-ipa-ca.crt-from-certificate-sto.patch
Type: text/x-patch
Size: 4372 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0040.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-290.4-Allow-overriding-NSS-database-path-in-RPCClient.patch
Type: text/x-patch
Size: 1705 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0041.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-291.4-Get-CA-certs-for-etc-pki-nssdb-from-certificate-stor.patch
Type: text/x-patch
Size: 10849 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0042.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-292.4-Add-functions-for-DER-encoding-certificate-extension.patch
Type: text/x-patch
Size: 1790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0043.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-293.4-Get-CA-certs-for-system-wide-store-from-cert-store-i.patch
Type: text/x-patch
Size: 10220 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0044.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-294.4-Get-up-to-date-CA-certificates-from-certificate-stor.patch
Type: text/x-patch
Size: 3398 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0045.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-295.4-Add-new-NSSDatabase-method-get_cert-for-getting-cert.patch
Type: text/x-patch
Size: 1467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0046.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-296.4-Allow-changing-chaining-of-the-IPA-CA-certificate-in.patch
Type: text/x-patch
Size: 4556 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0047.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-297.4-Update-CS.cfg-on-IPA-CA-certificate-chaining-change-.patch
Type: text/x-patch
Size: 3345 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0048.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-298.4-Allow-adding-CA-certificates-to-certificate-store-in.patch
Type: text/x-patch
Size: 5873 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0049.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-299.4-Allow-upgrading-CA-less-to-CA-full-using-ipa-ca-inst.patch
Type: text/x-patch
Size: 15881 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0050.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-303.2-Add-client-certificate-update-tool-ipa-certupdate.patch
Type: text/x-patch
Size: 12141 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0051.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-304.1-Export-full-CA-chain-to-etc-ipa-ca.crt-in-ipa-server.patch
Type: text/x-patch
Size: 1110 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0052.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-305.1-Allow-multiple-CA-certificates-in-replica-info-files.patch
Type: text/x-patch
Size: 1478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0053.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-306-Update-external-CA-cert-in-Dogtag-NSS-DB-on-IPA-CA-c.patch
Type: text/x-patch
Size: 4211 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0054.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-307-Enable-NSS-PKIX-certificate-path-discovery-and-valid.patch
Type: text/x-patch
Size: 4267 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140723/bb1fda14/attachment-0055.bin>

More information about the Freeipa-devel mailing list