[Freeipa-devel] [RFE] CA-less install

Petr Viktorin pviktori at redhat.com
Wed Mar 27 16:42:43 UTC 2013 

On 03/27/2013 05:09 PM, Rob Crittenden wrote:
[...]
>> Well, I don't like how PEM file duplicates an unnecessary amount of
>> information (the whole certificate). Also, copy-pasting subject might be
>> faster than exporting certificate in PEM and uploading it to the
>> server...
>
> We're talking a one-time operation. I don't think it's asking too much.
> It also gives the user some amount of control rather than assuming that
> whatever tool their using to create the PKCS#12 file is also smart
> enough to include the right CAs.

Well, to be fair, if there are any intermediate CAs, they need to be in 
the PKCS#12. (In the future there may be support for multiple root CAs, 
which would all get explicit trust. Those would all go in the PEM, so 
intermediate ones must be somewhere else -- in the PKCS#12.)

Anyway I think it's unlikely that everybody will have the certs in the 
right format for IPA by default, whatever that format is.
Honza has a point, but... If one solution is clearly better (in terms of 
best/common practices in organizations this feature is for), I'm happy 
to change it. Otherwise let's paint the bikeshed with the color I have 
ready :)

[...]
>>> I don't want to check the subject because this RFE was prompted by IPA's
>>> normal CA rejecting valid wildcart certs. Is there a reasonable way to
>>> ask NSS if it will trust the cert? If there is I can put it in, but I
>>> don't want to re-create the validation.
>>
>> I'm not sure TBH. Maybe someone with more NSS experience could answer
>> this?
>
> certutil -V -u V will do it.

The usage is already checked -- and with this command, too :)
The problem here is hostname validation.

> I don't think it would be onerous to assure that either the FQDN is in
> the CN or it is a '*'. python-nss has fairly easy ways to grab the
> subject out of a cert for this comparison.
>
>>>
>>> The code checks for the whole cert chain, and that's there only one
>>> server cert. Does that not work?
>>
>> Actually I didn't check this specifically. But, I used a server
>> certificate with wrong subject and that made ipa-server-install fail.
>>
>
> One of the many cases that we will need to handle.

I found that python-nss has a verify_hostname call. I'll add it.

-- 
Petr³

More information about the Freeipa-devel mailing list