[Freeipa-devel] [PATCH] 269 external CA signing, abstract RA
Rob Crittenden
rcritten at redhat.com
Thu Sep 10 20:35:16 UTC 2009
The RA plugin originally only supported dogtag. At some point I want to
be able to do on-line replica creation and this means we need to be able
to do remote cert requests. To support this I've abstracted the RA
plugin and added basic self-signed CA support. To do this I had to move
the CA private key from the DS NSS database to the Apache NSS database.
The bulk of the patch adds support for an externally-signed dogtag CA.
This is a 2-step process. You run the IPA installer to create the CA
instance and generate a CSR. You take this CSR to your primary CA and
get it signed, then re-run the IPA installer and pass it this new cert.
A lot of our cert functions assumed 1 cert-per-file. I had to remove
that assumption and add in a sort of generic nickname generator. It
assumes that the certs will be in some sort of order in the file. It
doesn't really matter as long as the nicknames are unique.
A replica created with a self-signed CA will not be able to issue certs
yet. I started this work by enhancing the file used to store the next
serial number to also store the next serial number to be used by a
replica. The idea is that we ship this to the replica then bump it up by
some value so that all replicas are unique. I think we'll have to
enforce that replicas can't create other replicas.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-269-external.patch
Type: application/mbox
Size: 93054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090910/2476b224/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090910/2476b224/attachment.bin>
More information about the Freeipa-devel
mailing list