diff options
| author | Martin Kosek <mkosek@redhat.com> | 2011-10-03 12:30:34 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-10-04 11:00:42 +0200 |
| commit | 28603e0c3ac20390a860347afb7a6ed976166e03 (patch) | |
| tree | 277abd57b77dd4d10718a7cee0f77d504420e44b | |
| parent | 48a67d9a2e932b21d55cd5a2668ed8a9f11e1564 (diff) | |
| download | freeipa-28603e0c3ac20390a860347afb7a6ed976166e03.tar.gz freeipa-28603e0c3ac20390a860347afb7a6ed976166e03.tar.xz freeipa-28603e0c3ac20390a860347afb7a6ed976166e03.zip | |
Be more clear about selfsign option
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
| -rwxr-xr-x | install/tools/ipa-server-install | 10 | ||||
| -rw-r--r-- | install/tools/man/ipa-server-install.1 | 8 |
2 files changed, 13 insertions, 5 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 504d6af50..7d961cb87 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -141,8 +141,6 @@ def parse_options(): parser.add_option_group(basic_group) cert_group = OptionGroup(parser, "certificate system options") - cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true", - default=False, help="Configure a self-signed CA instance rather than a dogtag CA") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR to be signed by an external CA") cert_group.add_option("", "--external_cert_file", dest="external_cert_file", @@ -166,6 +164,9 @@ def parse_options(): cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") + cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true", + default=False, help="Configure a self-signed CA instance rather than a dogtag CA. " \ + "WARNING: Certificate management capabilities will be limited") parser.add_option_group(cert_group) dns_group = OptionGroup(parser, "DNS options") @@ -667,6 +668,11 @@ def main(): print "This program will set up the FreeIPA Server." print "" print "This includes:" + if options.selfsign: + print " * Configure NSS to handle a self-signed CA" + print " WARNING: certificate management capabilities will be limited" + else: + print " * Configure a stand-alone CA (dogtag) for certificate management" if options.conf_ntp: print " * Configure the Network Time Daemon (ntpd)" print " * Create and configure an instance of Directory Server" diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 074c8d3dc..7cc4983b8 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -72,9 +72,6 @@ An unattended installation that will never prompt for user input .SS "CERTIFICATE SYSTEM OPTIONS" .TP -\fB\-\-selfsign\fR -Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates -.TP \fB\-\-external\-ca\fR Generate a CSR to be signed by an external CA .TP @@ -107,6 +104,11 @@ The password of the Kerberos KDC PKCS#12 file .TP \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=REALM.NAME) +.TP +\fB\-\-selfsign\fR +Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates. + +WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later. .SS "DNS OPTIONS" .TP |