[Freeipa-devel] [freeipa PR#758][opened] install: fix CA-less PKINIT

HonzaCholasta freeipa-github-notification at redhat.com
Wed May 3 13:26:31 UTC 2017 

   URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
 Title: #758: install: fix CA-less PKINIT
Action: opened

PR body:
"""
**certdb: add named trust flag constants**

Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

**certdb, certs: make trust flags argument mandatory**

Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

**certdb: use custom object for trust flags**

Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

**install: trust IPA CA for PKINIT**

Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

**client install: fix client PKINIT configuration**

Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

**server install: fix KDC PKINIT configuration**

Make sure `cacert.pem` contains only certificates of CAs trusted to issue
PKINIT client certificates and is exported in all installation code paths.

Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

**certs: do not export CA certs in install_pem_from_p12**

This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.

**server install: fix KDC certificate validation in CA-less**

Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

**cacert manage: support PKINIT**

Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

**server certinstall: support PKINIT**

Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pr-758.patch
Type: text/x-diff
Size: 83337 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170503/a770448e/attachment.bin>

More information about the Freeipa-devel mailing list