[Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs
Dmitri Pal
dpal at redhat.com
Mon Mar 18 17:45:38 UTC 2013
On 03/18/2013 07:58 AM, Petr Viktorin wrote:
> Hello,
> While the work is not complete, these patches allowed me to install an
> IPA server without a CA, using PKCS#12 files for the server certs.
>
> The patches don't break normal installation.
> The --selfsign option (but not yet the code behind it) is removed.
>
> The absence of a CA is indicated by `enable_ra=False` in the IPA config.
>
> ipa-replica-install will still refuse to run; I'll look into that next.
>
> I removed some unused code that got in my way: Dogtag 9 installation
> (we can run a Dogtag 9-style CA, but we never *install* it), and
> ipapython.certdb.CertDB (unused, not to be confused with ipaserver's
> CertDB).
>
> I tried using python-nss, but unfortunately found that it's not yet
> usable here. John filed
> https://bugzilla.redhat.com/show_bug.cgi?id=922247 after our
> conversation. Parsing certutil output, while dirty, is more reliable
> in my limited experience.
> I added ipaserver.install.certs.NSSDatabase as a general-purpose
> wrapper around certdb operations. We have a CertDB class for it but
> that one is too tied to the current code paths: when I used it I found
> myself re-implementing a lot of methods to get rid of some assumption
> or other. The new NSSDatabase is not tied to IPA configuration.
>
>
> From what I've learned, PKCS#12 files are just a bag of certificates;
> there are basically no restrictions on their contents. But we assume
> there's only one cert inside that has a private key, and use that for
> the server cert. We also pretty much assume that there's one CA cert:
> if not we pick the first one and trust it as root CA.
> In short, I think --http_pkcs & friends are too vague for PKCS#12s we
> don't control; we should have the user name the certs more explicitly.
> Am I wrong here? Is this the usual way to import server certs?
If we do not do anything about this now we should at least clearly
document the assumptions and how things work to avoid surprises.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/9023777a/attachment.htm>
More information about the Freeipa-devel
mailing list