[Freeipa-devel] Using your own certs
Simo Sorce
ssorce at redhat.com
Thu Jul 3 20:26:45 UTC 2008
On Thu, 2008-07-03 at 16:12 -0400, Rob Crittenden wrote:
> We wanted to provide an easy way to replace the self-signed certificates
> generated during IPA installation so we created a tool,
> ipa-server-certinstall. Unfortunately this is pretty badly broken in
> v1.1. I've fixed it in the tip but there is one last issue sort of
> peripherally related.
>
> When we create a replica using ipa-replica-prepare we pre-generate the
> SSL certs for use on the replica. If you've replaced the DS certs then
> you no longer have a CA to issue the certs so the replica preparation
> falls down pretty hard.
>
> The "CA" in IPA isn't really much of anything but we do keep a serial
> number file (/usr/share/ipa/serialno) to keep track of things. What I
> was thinking is that if the DS certificate is replaced then we
> rename/delete this file. I can then test for existence so I can do the
> right thing in ipa-replica-prepare (by prompting for the 2 PKCS#12 files
> to install on the remote server).
>
> Otherwise I'm going to need to test for the CA using certutil and try to
> parse the output to see whether I can continue or not.
>
> Does this sound reasonable?
Works for me, serialno is useless anyway if we are not using a
selfsigned ca, go that route.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list