[Freeipa-devel] [PATCH] First pass at CA installer
Jason Gerard DeRose
jderose at redhat.com
Fri Apr 3 07:52:42 UTC 2009
On Wed, 2009-04-01 at 23:22 -0400, Rob Crittenden wrote:
> Implement an installer for the Dogtag certificate system.
>
> The CA is currently not automatically installed. You have to pass in the
> --ca flag to install it.
>
> What works:
> - installation
> - unistallation
> - cert/ra plugins can issue and retrieve server certs
>
> What doesn't work:
> - self-signed CA is still created and issues Apache and DS certs
> - dogtag and python-nss not in rpm requires
> - requires that CS be in the "pre" install state from pkicreate
>
> So basically after doing this you have 2 CAs. The old self-signed CA
> from IPA v1 and a new dogtag-based CA. This new CA is used by the
> cert/ra plugins. My next step is to replace the self-signed CA.
>
> I'm also doing all my testing of dogtag using the SVN tip. A number of
> important but fixes are there.
>
> This also adds a python-nss based httplib library. Also on my list of
> things to do is to drop the fork calls to sslget. They aren't very
> efficient and they make SELinux cry.
>
> rob
ack. I don't understand all of the installer details, but everything
looks reasonable to me, doesn't seam to break anything.
Thanks for fixing the ra.sec_dir path when running in the server.
More information about the Freeipa-devel
mailing list