[Freeipa-devel] [PATCH] fix up replica creation and installation
Rob Crittenden
rcritten at redhat.com
Tue Feb 5 18:53:32 UTC 2008
Simo Sorce wrote:
> Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> I've made fairly major changes to the way replication is handled.
>>>
>>> The first is to use file to store the current CA serial number. I
>>> could have stored it in LDAP, others are free to add this if they
>>> like but a file is good enough for now.
>>>
>>> No longer create a PKCS#12 file that contains the CA. This is a
>>> self-signed cert after all, no need to walk on egg shells.
>>>
>>> No longer send the entire CA to each replica, generate the SSL certs
>>> on master. This is what drove storing the serial number. We used to
>>> send the entire CA to each replica it could be used to generate the
>>> SSL certs needed. This resulted in duplicate serial numbers and the
>>> CA everywhere. Instead I changed ipa-replica-prepare to take a FQDN
>>> and we generate the certificates in advance.
>>>
>>> Fix number of bugs in ipa-replica-install and prepare
>>>
>>> Produce status output during replica creation
>>>
>>> rob
>>>
>>
>> Simo still wanted to keep the CA PKCS#12 file and add a message during
>> install to be sure this gets backed up. It is only a self-signed cert
>> but it is a single point of failure and the a disk failure could cause
>> the IPA CA to be lost.
>
> Good one!
> Simo.
>
pushed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080205/98bbd9a2/attachment.bin>
More information about the Freeipa-devel
mailing list