[Freeipa-devel] Using your own certs

[Simo Sorce]

On Thu, 2008-07-03 at 16:12 -0400, Rob Crittenden wrote:
> We wanted to provide an easy way to replace the self-signed certificates 
> generated during IPA installation so we created a tool, 
> ipa-server-certinstall. Unfortunately this is pretty badly broken in 
> v1.1. I've fixed it in the tip but there is one last issue sort of 
> peripherally related.
> 
> When we create a replica using ipa-replica-prepare we pre-generate the 
> SSL certs for use on the replica. If you've replaced the DS certs then 
> you no longer have a CA to issue the certs so the replica preparation 
> falls down pretty hard.
> 
> The "CA" in IPA isn't really much of anything but we do keep a serial 
> number file (/usr/share/ipa/serialno) to keep track of things. What I 
> was thinking is that if the DS certificate is replaced then we 
> rename/delete this file. I can then test for existence so I can do the 
> right thing in ipa-replica-prepare (by prompting for the 2 PKCS#12 files 
> to install on the remote server).
> 
> Otherwise I'm going to need to test for the CA using certutil and try to 
> parse the output to see whether I can continue or not.
> 
> Does this sound reasonable?

Works for me, serialno is useless anyway if we are not using a
selfsigned ca, go that route.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York