[Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs

Wed Mar 20 17:28:42 UTC 2013

Petr Viktorin wrote:
> On 03/18/2013 10:24 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
> [...]
>>>  From what I've learned, PKCS#12 files are just a bag of certificates;
>>> there are basically no restrictions on their contents. But we assume
>>> there's only one cert inside that has a private key, and use that for
>>> the server cert. We also pretty much assume that there's one CA cert: if
>>> not we pick the first one and trust it as root CA.
>>> In short, I think --http_pkcs & friends are too vague for PKCS#12s we
>>> don't control; we should have the user name the certs more explicitly.
>>> Am I wrong here? Is this the usual way to import server certs?
>>
>> We can impose a requirement that the CA be included in the PKCS#12
>> files. At least with NSS this happens automatically, I can't recall with
>> openssl.
>>
>> Or we can add a new option to pass in the CA bundle in PEM format.
>
> After thinking about it, this is the way I want to go. It's a bit more
> typing for the user, but it reduces the amount of guesswork the
> installer needs to do. When deciding who to trust I'd rather be explicit.
> There's also a bit less validation to do and corner cases to watch out for.

Yeah, I think this will simplify things a lot. The only downside is the 
requirement that both certs come from the same CA, but we have to draw 
the line somewhere. We can always look into extending things later on as 
needed.

>
> The root CA certificate will be given by --external-ca-file. The trust
> chains for both servers (dirsrv, http) must lead to that CA. This CA
> will be trusted, and put in /etc/ipa/ca.crt.

Just thinking out loud here, but will that cause any confusion, using an 
existing option? I don't think so but I may be too used to this.

>
> Each PKCS#12 file must contain exactly one cert with a private key. This
> cert will be used for the corresponding server.
> Of course you can use the same cert for both servers.

I'm ok with that assuming we have an effective way of enforcing it. 
We'll need to provide some good documentation on how to create, or 
re-create, a PKCS#12 file to fit this format.

>
> The --external_ca_file must contain exactly one cert. Certs for any
> intermediate CAs must be in the PKCS#12.

It would be a lot easier to include all the CAs in a single PEM. This is 
not unprecedented, and just catting a bunch of certs together into a 
single file is easy and should not be error-prone.

I think too we'll need to be able to handle the case of any Built-in 
certs. There is a chance we will need to simply drop on the floor any CA 
certs provided because some or all of them are already in NSS (all we 
really care about for this, I think).

> Does that look good? Does it need a design page?

I think a design page would be particularly helpful in this case. I 
think this is going to be rather complex, and whatever choices we make 
to simplify things are going to be important.

>
> I have some patches for this and for replication, but it'll take another
> day to polish and test them.

Sounds great.

>
> [...]
>> I'm not sure the dogtag 9 removal code really fits in the context of
>> these changes. It makes sense, but has nothing to do with this.
>
> I'll retire that patch for now.

It would probably be a good idea to open a ticket and attach your 
current work.

thanks

rob