Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
From 2dc4882c3173c2b18c2958f39a93fda73c73a634 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Mon, 3 Oct 2011 12:30:34 +0200
Subject: [PATCH] Be more clear about selfsign option
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
---
install/tools/ipa-server-install | 10 --
install/tools/man/ipa-server-install.1 |8 +---
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 504d6af50f70278864dacf44cac9e4bbc832e069..7d961cb872efa6ce65cbb737871e000497a852b4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -141,8 +141,6 @@ def parse_options():
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, certificate system options)
-cert_group.add_option(, --selfsign, dest=selfsign, action=store_true,
- default=False, help=Configure a self-signed CA instance rather than a dogtag CA)
cert_group.add_option(, --external-ca, dest=external_ca, action=store_true,
default=False, help=Generate a CSR to be signed by an external CA)
cert_group.add_option(, --external_cert_file, dest=external_cert_file,
@@ -166,6 +164,9 @@ def parse_options():
cert_group.add_option(--subject, action=callback, callback=subject_callback,
type=string,
help=The certificate subject base (default O=realm-name))
+cert_group.add_option(, --selfsign, dest=selfsign, action=store_true,
+ default=False, help=Configure a self-signed CA instance rather than a dogtag CA. \
+ WARNING: Certificate management capabilities will be limited)
parser.add_option_group(cert_group)
dns_group = OptionGroup(parser, DNS options)
@@ -667,6 +668,11 @@ def main():
print This program will set up the FreeIPA Server.
print
print This includes:
+if options.selfsign:
+print * Configure NSS to handle a self-signed CA
+print WARNING: certificate management capabilities will be limited
+else:
+print * Configure a stand-alone CA (dogtag) for certificate management
if options.conf_ntp:
print * Configure the Network Time Daemon (ntpd)
print * Create and configure an instance of Directory Server
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 306fceb190c8af261bd9f580c2043f8a28fe86ba..f305723b1926851c007d0fd177e52baa51d927d6 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -71,9 +71,6 @@ An unattended installation that will never prompt for user input
.SS CERTIFICATE SYSTEM OPTIONS
.TP
-\fB\-\-selfsign\fR
-Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates
-.TP
\fB\-\-external\-ca\fR
Generate a CSR to be signed by an external CA
.TP
@@ -106,6 +103,11 @@ The password of the Kerberos KDC PKCS#12 file
.TP
\fB\-\-subject\fR=\fISUBJECT\fR
The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-selfsign\fR
+Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates.
+
+WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later.
.SS DNS OPTIONS
.TP
--
1.7.6.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel