[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Jan Cholasta
jcholast at redhat.com
Thu Sep 26 14:46:13 UTC 2013
On 26.9.2013 12:59, Tomas Babej wrote:
> On 09/26/2013 12:54 PM, Jan Cholasta wrote:
>> On 24.9.2013 18:14, Nalin Dahyabhai wrote:
>>> On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
>>>> We discussed this with Tomáš off-line and it turns out that
>>>> ipa-client-install fails if the CA cert is not added to
>>>> /etc/pki/nssdb.
>>>>
>>>> However, according to p11-kit docs it should work:
>>>> <http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
>>>> wonder what needs to be done to make it work in IPA...
>>>
>>> On my system, there's no symlink to libnssckbi.so (or the right location
>>> in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that
>>> database isn't going to automatically pull in the list of trusted CAs
>>> that p11-kit maintains.
>>>
>>> Whether the database under /etc/pki/nssdb should automatically include
>>> the usual set of trust anchors is probably a different conversation.
>>
>> Thanks for the info.
>>
>> Tomáš, the patch is fine then. I have one more nitpick though: why did
>> you change "the default NSS database" to "the NSS database"? The
>> database in /etc/pki/nssdb *is* the default NSS database, so please
>> change it back. Also I think "systemwide CA trust database" is better
>> than "systemwide CA store".
>>
>> Honza
>>
> I fixed the descriptions. Updated patch attached.
>
> Tomas
>
Thanks.
There's one more thing: we should probably check if
/usr/bin/update-ca-trust exists before using it, for the sake of
cross-distro compatibility.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list