[Freeipa-devel] [QUASI-PATCH] issue new CA certificate
Rob Crittenden
rcritten at redhat.com
Fri Aug 28 21:06:59 UTC 2009
Here is just a proposed solution.
The problem is that the CA we created up until now lacked the CA basic
constraint which means that newer releases of NSS don't consider it a
valid CA. This also means that Firefox 3.5 won't work with IPA 1.x.
What this script does is generates a certificate with the right
extensions using the existing key. This means that we don't need to
re-issue all the server certs as well.
It also means that once the new cert is issued it needs to be
distributed to the 4 winds. On replicas it shouldn't be a big deal but
any user that has connected to the web interface will need to trust the
new certificate.
Note that this program depends on an unapproved patch, [PATCH] 260 allow
a CA to be regenerated.
Anyway, if you could give this a look-see I'll try to figure out how we
want to deliver it. I'm not sure I want to include it in the IPA
distribution since it only applies to existing installs. I'd appreciate
any thoughts on that as well.
rob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipa-newca
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090828/8f72a79f/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090828/8f72a79f/attachment.bin>
More information about the Freeipa-devel
mailing list