Pavel Zuna wrote:
Rob Crittenden wrote:
The RA plugin originally only supported dogtag. At some point I want to be able to do on-line replica creation and this means we need to be able to do remote cert requests. To support this I've abstracted the RA plugin and added basic self-signed CA support. To do this I had to move the CA private key from the DS NSS database to the Apache NSS database.

The bulk of the patch adds support for an externally-signed dogtag CA. This is a 2-step process. You run the IPA installer to create the CA instance and generate a CSR. You take this CSR to your primary CA and get it signed, then re-run the IPA installer and pass it this new cert. A lot of our cert functions assumed 1 cert-per-file. I had to remove that assumption and add in a sort of generic nickname generator. It assumes that the certs will be in some sort of order in the file. It doesn't really matter as long as the nicknames are unique.

A replica created with a self-signed CA will not be able to issue certs yet. I started this work by enhancing the file used to store the next serial number to also store the next serial number to be used by a replica. The idea is that we ship this to the replica then bump it up by some value so that all replicas are unique. I think we'll have to enforce that replicas can't create other replicas.


I didn't do extensive functionality tests, but the code looks really fine. I think we should push this. If something doesn't work exactly the way expected, we can always patch it later. ack.

This patch makes some changes to the service plugin that aren't compatible with my latest service plugin patch (Make the service plugin use baseldap classes.) Since this is probably going to get pushed first, I already made a replacement patch that merges changes from both. It's attached.


Pushed to master.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-devel mailing list

Reply via email to