[Freeipa-devel] [RFE] CA-less install
John Dennis
jdennis at redhat.com
Wed Mar 27 16:58:34 UTC 2013
On 03/27/2013 12:42 PM, Petr Viktorin wrote:
> On 03/27/2013 05:09 PM, Rob Crittenden wrote:
> [...]
>>> Well, I don't like how PEM file duplicates an unnecessary amount of
>>> information (the whole certificate). Also, copy-pasting subject might be
>>> faster than exporting certificate in PEM and uploading it to the
>>> server...
>>
>> We're talking a one-time operation. I don't think it's asking too much.
>> It also gives the user some amount of control rather than assuming that
>> whatever tool their using to create the PKCS#12 file is also smart
>> enough to include the right CAs.
>
> Well, to be fair, if there are any intermediate CAs, they need to be in
> the PKCS#12. (In the future there may be support for multiple root CAs,
> which would all get explicit trust. Those would all go in the PEM, so
> intermediate ones must be somewhere else -- in the PKCS#12.)
>
> Anyway I think it's unlikely that everybody will have the certs in the
> right format for IPA by default, whatever that format is.
> Honza has a point, but... If one solution is clearly better (in terms of
> best/common practices in organizations this feature is for), I'm happy
> to change it. Otherwise let's paint the bikeshed with the color I have
> ready :)
>
> [...]
>>>> I don't want to check the subject because this RFE was prompted by IPA's
>>>> normal CA rejecting valid wildcart certs. Is there a reasonable way to
>>>> ask NSS if it will trust the cert? If there is I can put it in, but I
>>>> don't want to re-create the validation.
>>>
>>> I'm not sure TBH. Maybe someone with more NSS experience could answer
>>> this?
>>
>> certutil -V -u V will do it.
>
> The usage is already checked -- and with this command, too :)
> The problem here is hostname validation.
>
>> I don't think it would be onerous to assure that either the FQDN is in
>> the CN or it is a '*'. python-nss has fairly easy ways to grab the
>> subject out of a cert for this comparison.
>>
>>>>
>>>> The code checks for the whole cert chain, and that's there only one
>>>> server cert. Does that not work?
>>>
>>> Actually I didn't check this specifically. But, I used a server
>>> certificate with wrong subject and that made ipa-server-install fail.
>>>
>>
>> One of the many cases that we will need to handle.
>
> I found that python-nss has a verify_hostname call. I'll add it.
It also has Certificate.verify_now(). There are examples of usage in
either the doc/examples directory or the test directory.
NB, the cert has to be in the database, a possible limitation for the
intended usage. The enhanced unreleased code dispenses with that
restriction and adds additional functionality.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list