[Freeipa-devel] [QUASI-PATCH] issue new CA certificate

[Rob Crittenden]

Here is just a proposed solution.

The problem is that the CA we created up until now lacked the CA basic 
constraint which means that newer releases of NSS don't consider it a 
valid CA. This also means that Firefox 3.5 won't work with IPA 1.x.

What this script does is generates a certificate with the right 
extensions using the existing key. This means that we don't need to 
re-issue all the server certs as well.

It also means that once the new cert is issued it needs to be 
distributed to the 4 winds. On replicas it shouldn't be a big deal but 
any user that has connected to the web interface will need to trust the 
new certificate.

Note that this program depends on an unapproved patch, [PATCH] 260 allow 
a CA to be regenerated.

Anyway, if you could give this a look-see I'll try to figure out how we 
want to deliver it. I'm not sure I want to include it in the IPA 
distribution since it only applies to existing installs. I'd appreciate 
any thoughts on that as well.

rob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipa-newca
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090828/8f72a79f/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090828/8f72a79f/attachment.bin>