[Freeipa-devel] Using your own certs
Simo Sorce
ssorce at redhat.com
Thu Jul 3 20:28:29 UTC 2008
On Thu, 2008-07-03 at 16:26 -0400, Simo Sorce wrote:
> On Thu, 2008-07-03 at 16:12 -0400, Rob Crittenden wrote:
> > We wanted to provide an easy way to replace the self-signed certificates
> > generated during IPA installation so we created a tool,
> > ipa-server-certinstall. Unfortunately this is pretty badly broken in
> > v1.1. I've fixed it in the tip but there is one last issue sort of
> > peripherally related.
> >
> > When we create a replica using ipa-replica-prepare we pre-generate the
> > SSL certs for use on the replica. If you've replaced the DS certs then
> > you no longer have a CA to issue the certs so the replica preparation
> > falls down pretty hard.
> >
> > The "CA" in IPA isn't really much of anything but we do keep a serial
> > number file (/usr/share/ipa/serialno) to keep track of things. What I
> > was thinking is that if the DS certificate is replaced then we
> > rename/delete this file. I can then test for existence so I can do the
> > right thing in ipa-replica-prepare (by prompting for the 2 PKCS#12 files
> > to install on the remote server).
> >
> > Otherwise I'm going to need to test for the CA using certutil and try to
> > parse the output to see whether I can continue or not.
> >
> > Does this sound reasonable?
>
> Works for me, serialno is useless anyway if we are not using a
> selfsigned ca, go that route.
The only gotcha is that we must move that file (in any case)
unde /var/lib/ipa, as we are not supposed to change stuff in /usr during
normal operations. Also we must make sure that file is not owned by the
rpm package or rpm will a) complain, b) put back a new file on upgrade.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list