[Freeipa-devel] Using your own certs
Rob Crittenden
rcritten at redhat.com
Thu Jul 3 20:12:21 UTC 2008
We wanted to provide an easy way to replace the self-signed certificates
generated during IPA installation so we created a tool,
ipa-server-certinstall. Unfortunately this is pretty badly broken in
v1.1. I've fixed it in the tip but there is one last issue sort of
peripherally related.
When we create a replica using ipa-replica-prepare we pre-generate the
SSL certs for use on the replica. If you've replaced the DS certs then
you no longer have a CA to issue the certs so the replica preparation
falls down pretty hard.
The "CA" in IPA isn't really much of anything but we do keep a serial
number file (/usr/share/ipa/serialno) to keep track of things. What I
was thinking is that if the DS certificate is replaced then we
rename/delete this file. I can then test for existence so I can do the
right thing in ipa-replica-prepare (by prompting for the 2 PKCS#12 files
to install on the remote server).
Otherwise I'm going to need to test for the CA using certutil and try to
parse the output to see whether I can continue or not.
Does this sound reasonable?
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080703/0f721790/attachment.bin>
More information about the Freeipa-devel
mailing list