Re: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option

[Jan Cholasta]

On 3.10.2011 12:36, Martin Kosek wrote:

Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:

- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
   when one runs ipa-server-install

https://fedorahosted.org/freeipa/ticket/1908



ACK.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option

[Martin Kosek]

On Tue, 2011-10-04 at 10:34 +0200, Jan Cholasta wrote:
 On 3.10.2011 12:36, Martin Kosek wrote:
  Installing IPA server --selfsign option is currently a one-way ticket
  to server with limited certificate capabilities. Make sure that user
  really want to install it by implementing the following steps:
 
  - moving the option to the bottom of certificate options section
  - adding a warning to ipa-server-install man page
  - adding a warning to ipa-server-install help
  - adding a warning to ipa-server-install configuration summary
 when one runs ipa-server-install
 
  https://fedorahosted.org/freeipa/ticket/1908
 
 
 ACK.
 
 Honza
 

Pushed to master, ipa-2-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 133 Be more clear about selfsign option

[Martin Kosek]

Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:

- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
  when one runs ipa-server-install

https://fedorahosted.org/freeipa/ticket/1908

From 2dc4882c3173c2b18c2958f39a93fda73c73a634 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Mon, 3 Oct 2011 12:30:34 +0200
Subject: [PATCH] Be more clear about selfsign option

Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:

- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
  when one runs ipa-server-install

https://fedorahosted.org/freeipa/ticket/1908
---
 install/tools/ipa-server-install   |   10 --
 install/tools/man/ipa-server-install.1 |8 +---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 504d6af50f70278864dacf44cac9e4bbc832e069..7d961cb872efa6ce65cbb737871e000497a852b4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -141,8 +141,6 @@ def parse_options():
 parser.add_option_group(basic_group)
 
 cert_group = OptionGroup(parser, certificate system options)
-cert_group.add_option(, --selfsign, dest=selfsign, action=store_true,
-  default=False, help=Configure a self-signed CA instance rather than a dogtag CA)
 cert_group.add_option(, --external-ca, dest=external_ca, action=store_true,
   default=False, help=Generate a CSR to be signed by an external CA)
 cert_group.add_option(, --external_cert_file, dest=external_cert_file,
@@ -166,6 +164,9 @@ def parse_options():
 cert_group.add_option(--subject, action=callback, callback=subject_callback,
   type=string,
   help=The certificate subject base (default O=realm-name))
+cert_group.add_option(, --selfsign, dest=selfsign, action=store_true,
+  default=False, help=Configure a self-signed CA instance rather than a dogtag CA.  \
+  WARNING: Certificate management capabilities will be limited)
 parser.add_option_group(cert_group)
 
 dns_group = OptionGroup(parser, DNS options)
@@ -667,6 +668,11 @@ def main():
 print This program will set up the FreeIPA Server.
 print 
 print This includes:
+if options.selfsign:
+print   * Configure NSS to handle a self-signed CA
+print WARNING: certificate management capabilities will be limited
+else:
+print   * Configure a stand-alone CA (dogtag) for certificate management
 if options.conf_ntp:
 print   * Configure the Network Time Daemon (ntpd)
 print   * Create and configure an instance of Directory Server
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 306fceb190c8af261bd9f580c2043f8a28fe86ba..f305723b1926851c007d0fd177e52baa51d927d6 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -71,9 +71,6 @@ An unattended installation that will never prompt for user input
 
 .SS CERTIFICATE SYSTEM OPTIONS
 .TP
-\fB\-\-selfsign\fR
-Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates
-.TP
 \fB\-\-external\-ca\fR
 Generate a CSR to be signed by an external CA
 .TP
@@ -106,6 +103,11 @@ The password of the Kerberos KDC PKCS#12 file
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
 The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-selfsign\fR
+Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates.
+
+WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later.
 
 .SS DNS OPTIONS
 .TP
-- 
1.7.6.2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel