[Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs

Petr Viktorin pviktori at redhat.com
Mon Mar 18 11:58:33 UTC 2013 

Hello,
While the work is not complete, these patches allowed me to install an 
IPA server without a CA, using PKCS#12 files for the server certs.

The patches don't break normal installation.
The --selfsign option (but not yet the code behind it) is removed.

The absence of a CA is indicated by `enable_ra=False` in the IPA config.

ipa-replica-install will still refuse to run; I'll look into that next.

I removed some unused code that got in my way: Dogtag 9 installation (we 
can run a Dogtag 9-style CA, but we never *install* it), and 
ipapython.certdb.CertDB (unused, not to be confused with ipaserver's 
CertDB).

I tried using python-nss, but unfortunately found that it's not yet 
usable here. John filed 
https://bugzilla.redhat.com/show_bug.cgi?id=922247 after our 
conversation. Parsing certutil output, while dirty, is more reliable in 
my limited experience.
I added ipaserver.install.certs.NSSDatabase as a general-purpose wrapper 
around certdb operations. We have a CertDB class for it but that one is 
too tied to the current code paths: when I used it I found myself 
re-implementing a lot of methods to get rid of some assumption or other. 
The new NSSDatabase is not tied to IPA configuration.


 From what I've learned, PKCS#12 files are just a bag of certificates; 
there are basically no restrictions on their contents. But we assume 
there's only one cert inside that has a private key, and use that for 
the server cert. We also pretty much assume that there's one CA cert: if 
not we pick the first one and trust it as root CA.
In short, I think --http_pkcs & friends are too vague for PKCS#12s we 
don't control; we should have the user name the certs more explicitly.
Am I wrong here? Is this the usual way to import server certs?

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0197-ipa-server-install-Make-temporary-pin-files-availabl.patch
Type: text/x-patch
Size: 6412 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0198-ipa-server-install-Remove-the-selfsign-option.patch
Type: text/x-patch
Size: 9465 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0199-Remove-code-to-install-Dogtag-9.patch
Type: text/x-patch
Size: 18751 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0200-Remove-unused-ipapython.certdb.CertDB-class.patch
Type: text/x-patch
Size: 6425 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0201-ipaserver.install.certs-Introduce-NSSDatabase-as-a-m.patch
Type: text/x-patch
Size: 13843 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0202-Trust-CAs-from-PKCS-12-files-even-if-they-don-t-have.patch
Type: text/x-patch
Size: 1126 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0203-dsinstance-httpinstance-Don-t-hardcode-Server-Cert.patch
Type: text/x-patch
Size: 5772 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0204-Support-installing-with-custom-SSL-certs-without-a-C.patch
Type: text/x-patch
Size: 11067 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/ebdbb2b4/attachment-0007.bin>

More information about the Freeipa-devel mailing list