[Pki-devel] [PATCH] 236 - fix installation of subca with own security domain
Ade Lee
alee at redhat.com
Wed Oct 1 16:44:54 UTC 2014
ACKed by Endi. Pushed to master.
On Wed, 2014-10-01 at 12:11 -0400, Ade Lee wrote:
> New version attached with Endi's suggested changes.
>
> Please review,
> Thanks.
> Ade
>
> On Tue, 2014-09-30 at 11:27 -0400, Ade Lee wrote:
> > Revised patch attached.
> >
> > In the last patch, I had added code that would have registered the subCA
> > as a member of the super-CA security domain. This introduced a problem
> > in removing that entry from the super-CA when the system was
> > pkidestroyed. Its also changes the existing behavior and is not the
> > right thing to do.
> >
> > This patch corrects all that, and thereby resolves the pkidestroy
> > problem.
> >
> > Please review,
> > Ade
> >
> > On Mon, 2014-09-29 at 13:20 -0400, Ade Lee wrote:
> > > This fixes issue 1132 and allows pkispawn to successfully install a
> > > subCA that hosts its own security domain.
> > >
> > > This was, in retrospect, a lot harder than I thought it was going to be.
> > > Prior to this patch, we simply did not support this configuration with
> > > pkispawn.
> > >
> > > Two new parameters are introduced:
> > > pki_subordinate_create_new_security_domain=False
> > > pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
> > >
> > > See man pages for correct usage.
> > >
> > > There is only one issue left. When removing the subca using pkidestroy,
> > > removing the entry from the master security domain currently fails due
> > > to authentication. I'll fix that in the next patch.
> > >
> > > This is tricky stuff so please review carefully.
> > >
> > > Thanks.
> > > Ade
> >
>
More information about the Pki-devel
mailing list