[Pki-devel] [PATCH] 93, 94 - changes for a common admin user

Ade Lee alee at redhat.com
Fri Nov 30 22:01:13 UTC 2012


On Fri, 2012-11-30 at 09:56 -0600, Endi Sukma Dewata wrote:
> Some issues:
> 
> 1. The pki_use_common_admin_user is set to true in [Common] but 
> overwritten to false in [CA]:
> 
>    [Common]
>    pki_use_common_admin_user=true
> 
>    [CA]
>    pki_use_common_admin_user=false
> 
> If I understood correctly it's done this way to make sure that if we use 
> a common admin user, only CA will generate the certificate file, but not 
> the other subsystems:
> 
>    if not config.str2bool(master['pki_clone']) and \
>        not config.str2bool(master['pki_use_common_admin_user']):
> 
>        ... create cert file ...
> 
> Having conflicting pki_use_common_admin_users in the same config file is 
> confusing to users because we are actually using a common admin user for 
> all subsystems including CA so the value should be "true". I think it 
> would be better to check for CA explicitly in the code:
> 
>    [Common]
>    pki_use_common_admin_user=true
> 
>    if not config.str2bool(master['pki_clone']):
>        if not config.str2bool(master['pki_use_common_admin_user']) or
>            master['pki_subsystem'] == 'CA':
> 
>            ... create cert file ...
> 

The thing is - someone might install a subordinate CA and want to use
this mechanism to import an admin cert.  So we dont really want to
exclude this simply because its a CA.  Maybe we can change the name of
the directive to import_admin_cert = true/false ?  This makes it clearer
what we are doing.  Sound reasonable?

> 2. The location of the admin cert was changed from pki_client_dir to 
> pki_database_path. I think we should keep it in pki_client_dir because 
> the certificate belongs to the admin, not the instance, so it should be 
> in the admin's home directory. As long as the other subsystems are 
> created by the same admin the code should be able to read the cert from 
> the admin's home directory.
> 
> So the following parameters should point to the admin's home directory:
> - pki_client_admin_cert_p12
> - pki_admin_cert_file
> 
I agree with you that the cert belongs to the admin and not the
instance.  The problem is that we purge the client database by default.
And we should purge it once we have generated the p12 file, because it
includes the nss database and password files and so on. I suppose we
could be a little smarter about exactly what it is that we purge.

> 3. The default pki_admin_nickname is too long:
> 
>    PKI Administrator's example.com Security Domain ID
> 
> It can be simplified without losing information:
> 
>    PKI Administrator of example.com

OK - will change.
> 
> 4. The common cert files are called ca_admin.*. I think we should remove 
> the "ca_" to reflect that the cert works on all subsystems.
> 
Well along the lines of my response to above, if we change the name of
the directive to import_admin_cert - then its clearer that we are
importing a cert that was generated during the CA install for the admin
user on all subsystems.

In that case, using ca_admin is probably OK.





More information about the Pki-devel mailing list