On 27.3.2013 16:23, Petr Viktorin wrote:
On 03/27/2013 03:44 PM, Jan Cholasta wrote:
I have gone through the whole discussion, RFE page and your patches, and
I still don't see why --root-ca-file is necessary. Walking the
certificate chain from the server cert up to the root CA is easy, so why
not do that to determine the root CA? If the option is there just to
ensure that the right certificate is used, I think it would be better to
ask the user to confirm that during the installation process, or use
--root-ca-subject or similar option to specify what certificate to use.

Well, --root-ca-file specifies the root of trust, not necessarily the
selfsigned/unsigned CA at end of the trust chain.
Suppose you have a company-wide cert signed by a "globally" trusted CA,
but you're paranoid only want to trust the company cert, not a CA that
signs half the world's certificates. In that case walking up the chain
would select the wrong certificate.
Please correct me if my thinking is wrong.

Makes sense, thanks. Can you please put this information in the RFE page?

Yes, a --root-ca-subject would work too. I assumed the PEM file is
readily available.

Well, I don't like how PEM file duplicates an unnecessary amount of information (the whole certificate). Also, copy-pasting subject might be faster than exporting certificate in PEM and uploading it to the server...

We should do some validation of the PKCS#12 files and the certificates
within them, as currently ipa-server-install will happily accept
anything thrown at it. I think the minimum is to validate that the
PKCS#12 file contains the whole certificate chain, the server key and
only that, and that the server certificate has CN=<fqdn> (or
CN=*.<domain> if we want to allow wildcard certs) in its subject. If we
don't do that, ipa-server-install might fail when it's too late to fix

I don't want to check the subject because this RFE was prompted by IPA's
normal CA rejecting valid wildcart certs. Is there a reasonable way to
ask NSS if it will trust the cert? If there is I can put it in, but I
don't want to re-create the validation.

I'm not sure TBH. Maybe someone with more NSS experience could answer this?

The code checks for the whole cert chain, and that's there only one
server cert. Does that not work?

Actually I didn't check this specifically. But, I used a server certificate with wrong subject and that made ipa-server-install fail.

Jan Cholasta

Freeipa-devel mailing list

Reply via email to