On 03/27/2013 03:44 PM, Jan Cholasta wrote:

On 22.3.2013 13:10, Petr Viktorin wrote:
The design page for CA-less installation with user-provided SSL certs is
available at http://freeipa.org/page/V3/CA-less_install. I've also
copied it to this mail.

Does it answer all your questions?

I have gone through the whole discussion, RFE page and your patches, and
I still don't see why --root-ca-file is necessary. Walking the
certificate chain from the server cert up to the root CA is easy, so why
not do that to determine the root CA? If the option is there just to
ensure that the right certificate is used, I think it would be better to
ask the user to confirm that during the installation process, or use
--root-ca-subject or similar option to specify what certificate to use.

Well, --root-ca-file specifies the root of trust, not necessarily the selfsigned/unsigned CA at end of the trust chain. Suppose you have a company-wide cert signed by a "globally" trusted CA, but you're paranoid only want to trust the company cert, not a CA that signs half the world's certificates. In that case walking up the chain would select the wrong certificate.
Please correct me if my thinking is wrong.

Yes, a --root-ca-subject would work too. I assumed the PEM file is readily available.

We should do some validation of the PKCS#12 files and the certificates
within them, as currently ipa-server-install will happily accept
anything thrown at it. I think the minimum is to validate that the
PKCS#12 file contains the whole certificate chain, the server key and
only that, and that the server certificate has CN=<fqdn> (or
CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
don't do that, ipa-server-install might fail when it's too late to fix

I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? If there is I can put it in, but I don't want to re-create the validation.

The code checks for the whole cert chain, and that's there only one server cert. Does that not work?

Also, the RFE page states that the options to specify PKCS#12 files are
called --http_pkcs and --dirsrv_pkcs, but they are in fact called
--http_pkcs12 and --dirsrv_pkcs12.

Fixed, thanks.


Freeipa-devel mailing list

Reply via email to