[Freeipa-devel] [PATCH] fix up replica creation and installation
Simo Sorce
ssorce at redhat.com
Tue Feb 5 17:19:15 UTC 2008
Rob Crittenden wrote:
> Rob Crittenden wrote:
>> I've made fairly major changes to the way replication is handled.
>>
>> The first is to use file to store the current CA serial number. I
>> could have stored it in LDAP, others are free to add this if they like
>> but a file is good enough for now.
>>
>> No longer create a PKCS#12 file that contains the CA. This is a
>> self-signed cert after all, no need to walk on egg shells.
>>
>> No longer send the entire CA to each replica, generate the SSL certs
>> on master. This is what drove storing the serial number. We used to
>> send the entire CA to each replica it could be used to generate the
>> SSL certs needed. This resulted in duplicate serial numbers and the CA
>> everywhere. Instead I changed ipa-replica-prepare to take a FQDN and
>> we generate the certificates in advance.
>>
>> Fix number of bugs in ipa-replica-install and prepare
>>
>> Produce status output during replica creation
>>
>> rob
>>
>
> Simo still wanted to keep the CA PKCS#12 file and add a message during
> install to be sure this gets backed up. It is only a self-signed cert
> but it is a single point of failure and the a disk failure could cause
> the IPA CA to be lost.
Good one!
Simo.
More information about the Freeipa-devel
mailing list