URL: https://github.com/freeipa/freeipa/pull/108 Author: frasertweedale Title: #108: https://fedorahosted.org/freeipa/ticket/6256 Action: opened
PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/108/head:pr108 git checkout pr108
From b3a5c7face04c6a9a3b2c78f0794fde98b855387 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 23 Sep 2016 16:01:19 +1000 Subject: [PATCH 1/2] spec: require Dogtag >= 10.3.5-6 Require Dogtag 10.3.5-6, which is the first release that implements revocation of lightweight CA signing certificates upon deletion. Part of: https://fedorahosted.org/freeipa/ticket/6256 --- freeipa.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3b0e4b2..cab0233 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -97,7 +97,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3-3 +BuildRequires: pki-base >= 10.3.5-6 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 @@ -161,8 +161,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.3-3 -Requires: pki-kra >= 10.3.3-3 +Requires: pki-ca >= 10.3.5-6 +Requires: pki-kra >= 10.3.5-6 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip From 610cb77a7f42d6c0eb20725f6319a46b786b106d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 23 Sep 2016 16:05:55 +1000 Subject: [PATCH 2/2] Add commentary about CA deletion to plugin doc Add commentary to 'ca' plugin documentation to explain what happens when a CA gets deleted - namely, that its signing cert gets revoked and its private key deleted. Fixes: https://fedorahosted.org/freeipa/ticket/6256 --- ipaserver/plugins/ca.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 4d83fe8..3cdc9f2 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -25,6 +25,9 @@ prevents it from issuing certificates but does not affect the validity of its certificate. +CAs (all except the 'IPA' CA) can be deleted. Deleting a CA causes its signing +certificate to be revoked and its private key deleted. + EXAMPLES: @@ -41,6 +44,10 @@ ipa ca-enable puppet + Delete a CA. + + ipa ca-del puppet + """)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code