[Freeipa-devel] Using your own certs

[Simo Sorce]

On Thu, 2008-07-03 at 16:26 -0400, Simo Sorce wrote:
> On Thu, 2008-07-03 at 16:12 -0400, Rob Crittenden wrote:
> > We wanted to provide an easy way to replace the self-signed certificates 
> > generated during IPA installation so we created a tool, 
> > ipa-server-certinstall. Unfortunately this is pretty badly broken in 
> > v1.1. I've fixed it in the tip but there is one last issue sort of 
> > peripherally related.
> > 
> > When we create a replica using ipa-replica-prepare we pre-generate the 
> > SSL certs for use on the replica. If you've replaced the DS certs then 
> > you no longer have a CA to issue the certs so the replica preparation 
> > falls down pretty hard.
> > 
> > The "CA" in IPA isn't really much of anything but we do keep a serial 
> > number file (/usr/share/ipa/serialno) to keep track of things. What I 
> > was thinking is that if the DS certificate is replaced then we 
> > rename/delete this file. I can then test for existence so I can do the 
> > right thing in ipa-replica-prepare (by prompting for the 2 PKCS#12 files 
> > to install on the remote server).
> > 
> > Otherwise I'm going to need to test for the CA using certutil and try to 
> > parse the output to see whether I can continue or not.
> > 
> > Does this sound reasonable?
> 
> Works for me, serialno is useless anyway if we are not using a
> selfsigned ca, go that route.

The only gotcha is that we must move that file (in any case)
unde /var/lib/ipa, as we are not supposed to change stuff in /usr during
normal operations. Also we must make sure that file is not owned by the
rpm package or rpm will a) complain, b) put back a new file on upgrade.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York