[Freeipa-devel] [RFE] CA-less install
Jan Cholasta
jcholast at redhat.com
Wed Mar 27 14:44:25 UTC 2013
Hi,
On 22.3.2013 13:10, Petr Viktorin wrote:
> The design page for CA-less installation with user-provided SSL certs is
> available at http://freeipa.org/page/V3/CA-less_install. I've also
> copied it to this mail.
>
> Does it answer all your questions?
>
I have gone through the whole discussion, RFE page and your patches, and
I still don't see why --root-ca-file is necessary. Walking the
certificate chain from the server cert up to the root CA is easy, so why
not do that to determine the root CA? If the option is there just to
ensure that the right certificate is used, I think it would be better to
ask the user to confirm that during the installation process, or use
--root-ca-subject or similar option to specify what certificate to use.
We should do some validation of the PKCS#12 files and the certificates
within them, as currently ipa-server-install will happily accept
anything thrown at it. I think the minimum is to validate that the
PKCS#12 file contains the whole certificate chain, the server key and
only that, and that the server certificate has CN=<fqdn> (or
CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
don't do that, ipa-server-install might fail when it's too late to fix
things.
Also, the RFE page states that the options to specify PKCS#12 files are
called --http_pkcs and --dirsrv_pkcs, but they are in fact called
--http_pkcs12 and --dirsrv_pkcs12.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list