[Freeipa-devel] Using your own certs

Simo Sorce ssorce at redhat.com
Mon Jul 7 17:53:15 UTC 2008 

On Mon, 2008-07-07 at 13:27 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Thu, 2008-07-03 at 16:26 -0400, Simo Sorce wrote:
> >> On Thu, 2008-07-03 at 16:12 -0400, Rob Crittenden wrote:
> >>> We wanted to provide an easy way to replace the self-signed certificates 
> >>> generated during IPA installation so we created a tool, 
> >>> ipa-server-certinstall. Unfortunately this is pretty badly broken in 
> >>> v1.1. I've fixed it in the tip but there is one last issue sort of 
> >>> peripherally related.
> >>>
> >>> When we create a replica using ipa-replica-prepare we pre-generate the 
> >>> SSL certs for use on the replica. If you've replaced the DS certs then 
> >>> you no longer have a CA to issue the certs so the replica preparation 
> >>> falls down pretty hard.
> >>>
> >>> The "CA" in IPA isn't really much of anything but we do keep a serial 
> >>> number file (/usr/share/ipa/serialno) to keep track of things. What I 
> >>> was thinking is that if the DS certificate is replaced then we 
> >>> rename/delete this file. I can then test for existence so I can do the 
> >>> right thing in ipa-replica-prepare (by prompting for the 2 PKCS#12 files 
> >>> to install on the remote server).
> >>>
> >>> Otherwise I'm going to need to test for the CA using certutil and try to 
> >>> parse the output to see whether I can continue or not.
> >>>
> >>> Does this sound reasonable?
> >> Works for me, serialno is useless anyway if we are not using a
> >> selfsigned ca, go that route.
> > 
> > The only gotcha is that we must move that file (in any case)
> > unde /var/lib/ipa, as we are not supposed to change stuff in /usr during
> > normal operations. Also we must make sure that file is not owned by the
> > rpm package or rpm will a) complain, b) put back a new file on upgrade.
> > 
> > Simo.
> > 
> 
> Good point. I may in fact move it to /etc/ipa.
> 
> rpm doesn't know about this file so we're ok there.

/var/lib is better for stuff that users are not supposed to touch.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list