[Freeipa-devel] Needs testing: Replace IPA CA
Rob Crittenden
rcritten at redhat.com
Mon Jul 27 20:59:37 UTC 2009
We were improperly creating the IPA self-signed CA during installation.
It lacked a certificate extension marking it as a CA. This causes the
certificates that IPA generates to not work with Firefox 3.5.
I'm working on a fix for this. If someone wants to give it a test that
would be helpful.
There are several steps you need to take on the initial master. If you
have replica's I'll get back to that:
- Apply the patch to certs.py to
(/usr/lib/python*/site-packages/ipaserver/certs.py)
- Back up /etc/dirsrv/slapd-INSTANCE/*.db and *.txt
- Back up /etc/httpd/alias/*.db
- Run ipa-ca with the following options
As root:
# service dirsrv stop
# service httpd stop
# rm -f /etc/dirsrv/slapd-<INSTANCE>/cert8.db
# python ipa-ca -g
# python ipa-ca -i -s yourhost.example.com -o ds.p12 -p password
# python ipa-ca -i -s yourhost.example.com -o http.p12 -p password
# pk12util -i ds.p12 -d /etc/dirsrv/slapd-<INSTANCE> -k
/etc/dirsrv/slapd-<INSTANCE>/pwdfile.txt
# rm -f /etc/httpd/alias/*.db
# certutil -N -d /etc/httpd/alias (press enter twice, no password)
# chown apache /etc/httpd/alias/*.db
# pk12util -i http.p12 -d /etc/httpd/alias
# certutil -M -t "CT,,C" -n "CA certificate" -d /etc/httpd/alias
# service dirsrv start
# service httpd start
Your new CA is in /etc/dirsrv/slapd-INSTANCE/cacert.p12. You'll want to
back this up somewhere (and probably remove the .p12 file).
This should generate a new CA, issue 2 certificates and put them into
PKCS#12 files, then import them into your instances.
If you have any replicas then do the same steps without the "ipa-ca -g"
step. ipa-ca should always be run on the initial IPA master.
The basic idea is that 'ipa-ca -g' generates a new CA using the certs.py
patch that you applied. Then you create a PKCS#12 file for each of the
two services on each IPA instace. The process of generating a new CA
creates a new DS database so you just have to import the cert you generated.
For Apache we have to remove the database and re-create it, fixing
permissions along the way. Then the cert is imported and the CA trusted.
This works for me with IPA v1.2. I wouldn't recommend doing this on a
production server yet.
rob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: certs.diff
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090727/516b85b1/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipa-ca
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090727/516b85b1/attachment-0001.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090727/516b85b1/attachment.bin>
More information about the Freeipa-devel
mailing list