On 22.3.2013 13:10, Petr Viktorin wrote:
The design page for CA-less installation with user-provided SSL certs is
available at http://freeipa.org/page/V3/CA-less_install. I've also
copied it to this mail.

Does it answer all your questions?

I have gone through the whole discussion, RFE page and your patches, and I still don't see why --root-ca-file is necessary. Walking the certificate chain from the server cert up to the root CA is easy, so why not do that to determine the root CA? If the option is there just to ensure that the right certificate is used, I think it would be better to ask the user to confirm that during the installation process, or use --root-ca-subject or similar option to specify what certificate to use.

We should do some validation of the PKCS#12 files and the certificates within them, as currently ipa-server-install will happily accept anything thrown at it. I think the minimum is to validate that the PKCS#12 file contains the whole certificate chain, the server key and only that, and that the server certificate has CN=<fqdn> (or CN=*.<domain> if we want to allow wildcard certs) in its subject. If we don't do that, ipa-server-install might fail when it's too late to fix things.

Also, the RFE page states that the options to specify PKCS#12 files are called --http_pkcs and --dirsrv_pkcs, but they are in fact called --http_pkcs12 and --dirsrv_pkcs12.


Jan Cholasta

Freeipa-devel mailing list

Reply via email to