[Freeipa-devel] [RFE] CA-less install

[Petr Viktorin]

On 03/27/2013 04:40 PM, Jan Cholasta wrote:
> On 27.3.2013 16:23, Petr Viktorin wrote:
>> On 03/27/2013 03:44 PM, Jan Cholasta wrote:
>>> I have gone through the whole discussion, RFE page and your patches, and
>>> I still don't see why --root-ca-file is necessary. Walking the
>>> certificate chain from the server cert up to the root CA is easy, so why
>>> not do that to determine the root CA? If the option is there just to
>>> ensure that the right certificate is used, I think it would be better to
>>> ask the user to confirm that during the installation process, or use
>>> --root-ca-subject or similar option to specify what certificate to use.
>>
>> Well, --root-ca-file specifies the root of trust, not necessarily the
>> selfsigned/unsigned CA at end of the trust chain.
>> Suppose you have a company-wide cert signed by a "globally" trusted CA,
>> but you're paranoid only want to trust the company cert, not a CA that
>> signs half the world's certificates. In that case walking up the chain
>> would select the wrong certificate.
>> Please correct me if my thinking is wrong.
>
> Makes sense, thanks. Can you please put this information in the RFE page?

Added.

>> Yes, a --root-ca-subject would work too. I assumed the PEM file is
>> readily available.
>
> Well, I don't like how PEM file duplicates an unnecessary amount of
> information (the whole certificate). Also, copy-pasting subject might be
> faster than exporting certificate in PEM and uploading it to the server...

Well, if the PKCS#12 only has the server cert that's signed directly by 
the CA, there's no duplication. This is arguably the common case.
Honestly, I don't know what would be easier for a typical sysadmin in an 
organization that needs this functionality. These two approaches seem 
pretty even to me.

>>> We should do some validation of the PKCS#12 files and the certificates
>>> within them, as currently ipa-server-install will happily accept
>>> anything thrown at it. I think the minimum is to validate that the
>>> PKCS#12 file contains the whole certificate chain, the server key and
>>> only that, and that the server certificate has CN=<fqdn> (or
>>> CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
>>> don't do that, ipa-server-install might fail when it's too late to fix
>>> things.
>>
>> I don't want to check the subject because this RFE was prompted by IPA's
>> normal CA rejecting valid wildcart certs. Is there a reasonable way to
>> ask NSS if it will trust the cert? If there is I can put it in, but I
>> don't want to re-create the validation.
>
> I'm not sure TBH. Maybe someone with more NSS experience could answer this?
>
>>
>> The code checks for the whole cert chain, and that's there only one
>> server cert. Does that not work?
>
> Actually I didn't check this specifically. But, I used a server
> certificate with wrong subject and that made ipa-server-install fail.

I'll see how python-nss can help here.


-- 
Petr³