[Freeipa-devel] [PATCH] fix up replica creation and installation
Rob Crittenden
rcritten at redhat.com
Tue Feb 5 17:25:20 UTC 2008
Rob Crittenden wrote:
> I've made fairly major changes to the way replication is handled.
>
> The first is to use file to store the current CA serial number. I could
> have stored it in LDAP, others are free to add this if they like but a
> file is good enough for now.
>
> No longer create a PKCS#12 file that contains the CA. This is a
> self-signed cert after all, no need to walk on egg shells.
>
> No longer send the entire CA to each replica, generate the SSL certs on
> master. This is what drove storing the serial number. We used to send
> the entire CA to each replica it could be used to generate the SSL certs
> needed. This resulted in duplicate serial numbers and the CA everywhere.
> Instead I changed ipa-replica-prepare to take a FQDN and we generate the
> certificates in advance.
>
> Fix number of bugs in ipa-replica-install and prepare
>
> Produce status output during replica creation
>
> rob
>
Simo still wanted to keep the CA PKCS#12 file and add a message during
install to be sure this gets backed up. It is only a self-signed cert
but it is a single point of failure and the a disk failure could cause
the IPA CA to be lost.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-629-replica2.patch
Type: text/x-patch
Size: 17307 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080205/574c5bb4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080205/574c5bb4/attachment-0001.bin>
More information about the Freeipa-devel
mailing list