On 29.3.2013 15:31, Petr Viktorin wrote:
On 03/29/2013 11:20 AM, Jan Cholasta wrote:
On 29.3.2013 11:14, Jan Cholasta wrote:
Also I was able to install IPA with revoked certificates, but it doesn't
seem to break anything - the CRL specified in the certificates' CRL
distribution point is not automatically imported into any of the NSS
databases and when it is imported manually, everything still seems to
work fine. I haven't checked OCSP. Can and/or do we want to do something
about this?


Update: the ipa command does not work:

$ ipa host-show $HOSTNAME --all --raw
ipa: ERROR: cert validation failed for "CN=ipa.example.com,O=Example"
((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
-8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
revoked.

I think we can live with not checking CRLs now. I haven't found a way to
download CRLs with certutil or python-nss (short of explicitly examining
the certs, downloading the CRL and importing it, but I don't think IPA
is the place for that).
I've asked John.

OK, thanks.


Patch 205:

Can we instead require the PKCS#12 files to always contain the whole
certificate chain? IMO that way it would be more obvious what should
actually be in the files and it would make things easier should there
ever be need for --root-ca-subject.

Not requiring the root CA is a convenient shortcut. It's common to have
certs signed directly by the CA, and in this case you can use either a
single-cert PKCS#12 or one with the full chain.
Actually, originally the full chain was required, and a user already
complained :)

If we add a new option, we can specify its requirements on the other
options.

No problem.


Adding a new patch for client installation.


This is nothing critical, but I think that make-testcert should check if dogtag is installed and when it's not, print a message informing the user that they should issue the test certificate manually and place it in the appropriate location.

Besides that, ACK.

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to