[389-users] Re: unattended request cert process
> On 2 Dec 2020, at 19:04, Angel Bosch Mora wrote:
>
>> depending on your version of 389, look at "dsctl tls
>> import-ca"
>>
>> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
>> --help
>> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
>>
>> positional arguments:
>> cert_path The path to the x509 cert to import as a server CA
>> nicknameThe name of the certificate once imported
>>
>> optional arguments:
>> -h, --help show this help message and exit
>>
>> This allows you to import a PEM CA file. There are a number of other
>> helpers under the tls subcommand to make cert management easier.
>>
>
>
> all this is pretty new, right?
>
> I can't recall reading this last time I checked docs.
I don't remember what version it was landed in, but certainly one 1.4.x
somewhere.
>
> anyway, my main problem is that to deploy a node in a truly unattended mode
> It shouldn't pause at CSR request and continue when CA sign certificates, so
> I'm trying to have some preconfigured cert databases and signed certs.
>
> If there's no way to do that, I can't dynamically create and destroy nodes.
>
> the other option is letting the loadbalancer handle encryption, but official
> docs are very aggressive against that option, but I wonder if I should ignore
> that recommendation and encrypt at LB level.
> any hints?
You can setup an instance with *no* TLS setup with self_signed = false in the
setup.inf, then you can later add the nssdb + enable encryption. That's
probably what you want here.
>
> abosch
> -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol
> fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i
> pot contenir informacio confidencial. En cap cas no heu de copiar aquest
> missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si
> no sou la persona destinataria que s'hi indica (o la responsable de
> lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca
> electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau
> si es realment necessari.
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: unattended request cert process
Hi abosch,
Have you looked at preconfiguring the cert db's with a wildcard cert from a CA
to avoid the request/sign dance?
Trev
On 2020-12-02, 1:04 AM, "Angel Bosch Mora" wrote:
[CAUTION: Non-UBC Email]
> depending on your version of 389, look at "dsctl tls
> import-ca"
>
> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
> --help
> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
>
> positional arguments:
> cert_path The path to the x509 cert to import as a server CA
> nicknameThe name of the certificate once imported
>
> optional arguments:
> -h, --help show this help message and exit
>
> This allows you to import a PEM CA file. There are a number of other
> helpers under the tls subcommand to make cert management easier.
>
all this is pretty new, right?
I can't recall reading this last time I checked docs.
anyway, my main problem is that to deploy a node in a truly unattended mode
It shouldn't pause at CSR request and continue when CA sign certificates, so
I'm trying to have some preconfigured cert databases and signed certs.
If there's no way to do that, I can't dynamically create and destroy nodes.
the other option is letting the loadbalancer handle encryption, but
official docs are very aggressive against that option, but I wonder if I should
ignore that recommendation and encrypt at LB level.
any hints?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de
copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de
lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica
de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment
necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: unattended request cert process
> depending on your version of 389, look at "dsctl tls
> import-ca"
>
> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
> --help
> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
>
> positional arguments:
> cert_path The path to the x509 cert to import as a server CA
> nicknameThe name of the certificate once imported
>
> optional arguments:
> -h, --help show this help message and exit
>
> This allows you to import a PEM CA file. There are a number of other
> helpers under the tls subcommand to make cert management easier.
>
all this is pretty new, right?
I can't recall reading this last time I checked docs.
anyway, my main problem is that to deploy a node in a truly unattended mode It
shouldn't pause at CSR request and continue when CA sign certificates, so I'm
trying to have some preconfigured cert databases and signed certs.
If there's no way to do that, I can't dynamically create and destroy nodes.
the other option is letting the loadbalancer handle encryption, but official
docs are very aggressive against that option, but I wonder if I should ignore
that recommendation and encrypt at LB level.
any hints?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i
pot contenir informacio confidencial. En cap cas no heu de copiar aquest
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi)
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
