[Freeipa-devel] [PATCH] 240 Better cert nickname handling
Rob Crittenden
rcritten at redhat.com
Thu Jul 23 16:25:38 UTC 2009
A few issues were found in the way we identify the root cert to trust
when importing PKCS#12 files. The regex was not specific enough and
there is no need to explicitly trust root CAs that are built into NSS.
I also did a little bit of code cleanup to add logging and remove an
unused import.
And finally, I added a bit of code that should help a basic install on
Fedora 11. The certutil on Fedora 11 doesn't return untrusted CAs in its
-O output. This will fix the self-signed IPA default CA case anway.
If acked I'll push a similar patch to the 1-2 branch as well. We lack
the self-signed CA awareness so I'm not sure how I'm going to tackle
that yet but I suspect that I'll simply make it the default if no CA is
found (along with a log entry saying so).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-240-certs.patch
Type: text/x-patch
Size: 2279 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090723/3cf85c01/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090723/3cf85c01/attachment-0001.bin>
More information about the Freeipa-devel
mailing list