summaryrefslogtreecommitdiffstats
path: root/install/tools
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-10-03 12:30:34 +0200
committerMartin Kosek <mkosek@redhat.com>2011-10-04 11:00:42 +0200
commit28603e0c3ac20390a860347afb7a6ed976166e03 (patch)
tree277abd57b77dd4d10718a7cee0f77d504420e44b /install/tools
parent48a67d9a2e932b21d55cd5a2668ed8a9f11e1564 (diff)
downloadfreeipa-28603e0c3ac20390a860347afb7a6ed976166e03.tar.gz
freeipa-28603e0c3ac20390a860347afb7a6ed976166e03.tar.xz
freeipa-28603e0c3ac20390a860347afb7a6ed976166e03.zip
Be more clear about selfsign option
Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
Diffstat (limited to 'install/tools')
-rwxr-xr-xinstall/tools/ipa-server-install10
-rw-r--r--install/tools/man/ipa-server-install.18
2 files changed, 13 insertions, 5 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 504d6af50..7d961cb87 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -141,8 +141,6 @@ def parse_options():
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
- cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true",
- default=False, help="Configure a self-signed CA instance rather than a dogtag CA")
cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
@@ -166,6 +164,9 @@ def parse_options():
cert_group.add_option("--subject", action="callback", callback=subject_callback,
type="string",
help="The certificate subject base (default O=<realm-name>)")
+ cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true",
+ default=False, help="Configure a self-signed CA instance rather than a dogtag CA. " \
+ "WARNING: Certificate management capabilities will be limited")
parser.add_option_group(cert_group)
dns_group = OptionGroup(parser, "DNS options")
@@ -667,6 +668,11 @@ def main():
print "This program will set up the FreeIPA Server."
print ""
print "This includes:"
+ if options.selfsign:
+ print " * Configure NSS to handle a self-signed CA"
+ print " WARNING: certificate management capabilities will be limited"
+ else:
+ print " * Configure a stand-alone CA (dogtag) for certificate management"
if options.conf_ntp:
print " * Configure the Network Time Daemon (ntpd)"
print " * Create and configure an instance of Directory Server"
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 074c8d3dc..7cc4983b8 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -72,9 +72,6 @@ An unattended installation that will never prompt for user input
.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
-\fB\-\-selfsign\fR
-Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates
-.TP
\fB\-\-external\-ca\fR
Generate a CSR to be signed by an external CA
.TP
@@ -107,6 +104,11 @@ The password of the Kerberos KDC PKCS#12 file
.TP
\fB\-\-subject\fR=\fISUBJECT\fR
The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-selfsign\fR
+Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates.
+
+WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later.
.SS "DNS OPTIONS"
.TP