diff options
author | John Dennis <jdennis@redhat.com> | 2012-11-15 14:57:52 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 14:26:42 -0500 |
commit | a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (patch) | |
tree | 1832274281bcb92cd933b2262b2be221efd031f5 /ipaserver/install/certs.py | |
parent | 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 (diff) | |
download | freeipa.git-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.gz freeipa.git-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.xz freeipa.git-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.zip |
Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaserver/install/certs.py')
-rw-r--r-- | ipaserver/install/certs.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bfbba08f..7b408586 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -227,7 +227,10 @@ class CertDB(object): if not subject_base: self.subject_base = DN(('O', 'IPA')) - self.cacert_name = get_ca_nickname(self.realm) + if self.self_signed_ca: + self.cacert_name = get_ca_nickname(self.realm, 'CN=%s Certificate Authority') + else: + self.cacert_name = get_ca_nickname(self.realm) self.valid_months = "120" self.keysize = "1024" |