summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--BUILD.txt3
-rw-r--r--install/tools/man/ipa-replica-conncheck.12
-rw-r--r--ipa-client/man/default.conf.52
-rw-r--r--ipalib/plugins/cert.py5
-rw-r--r--ipaserver/install/cainstance.py5
-rw-r--r--tests/test_xmlrpc/test_cert_plugin.py4
6 files changed, 8 insertions, 13 deletions
diff --git a/BUILD.txt b/BUILD.txt
index df029a533..a5a04ebce 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -92,6 +92,3 @@ IPA is not relocatable.
When building rpms the version contains the GIT id in the version. To prevent
this pass the argument IPA_VERSION_IS_GIT_SNAPSHOT=yes to make.
-
-If you don't need a full CA during testing then using the self-signed CA
-(pass --selfsign to ipa-server-install) takes less time to install.
diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
index 2983eb621..566322cf0 100644
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -57,7 +57,7 @@ Remote replica machine address
.SS "COMMON OPTIONS"
.TP
\fB\-c\fR, \fB\-\-check\-ca\fR
-Include in a check also a set of dogtag connection requirements. When a replica is self\-sign this option is not needed.
+Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower.
.TP
\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-hostname\fR=\fIHOSTNAME\fR
The hostname of this server (FQDN). By default a nodename from uname(2) is used
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index a0804e39f..39af41fbf 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -152,7 +152,7 @@ Specifies the mount point that the development server will register. The default
Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
.TP
.B ra_plugin <name>
-Specifies the name of the CA back end to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
+Specifies the name of the CA back end to use. The current options are \fBdogtag\fR and \fBnone\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
.TP
.B realm <realm>
Specifies the Kerberos realm.
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index a441a92ae..fbab0b4aa 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -50,9 +50,8 @@ Implements a set of commands for managing server SSL certificates.
Certificate requests exist in the form of a Certificate Signing Request (CSR)
in PEM format.
-If using the selfsign back end then the subject in the CSR needs to match
-the subject configured in the server. The dogtag CA uses just the CN
-value of the CSR and forces the rest of the subject.
+The dogtag CA uses just the CN value of the CSR and forces the rest of the
+subject to values configured in the server.
A certificate is stored with a service principal and a service principal
needs a host.
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8c8994796..2bb6cb4e3 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -469,7 +469,6 @@ def stop_tracking_certificates(dogtag_constants):
class CAInstance(service.Service):
"""
- In the self-signed case the CA exists in the NSS_DB database.
When using a dogtag CA the DS database contains just the
server cert for DS. The mod_nss database will contain the RA agent
cert that will be used to do authenticated requests against dogtag.
@@ -1697,7 +1696,7 @@ def replica_ca_install_check(config, master_ds_port):
cafile = config.dir + "/cacert.p12"
if not ipautil.file_exists(cafile):
- # self-signed replica
+ # Replica of old "self-signed" master - CA won't be installed
return
master_ds_port = int(master_ds_port)
@@ -1759,7 +1758,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
cafile = config.dir + "/cacert.p12"
if not ipautil.file_exists(cafile):
- # self-signed replica
+ # Replica of old "self-signed" master - skip installing CA
return (None, None)
if not config.setup_ca:
diff --git a/tests/test_xmlrpc/test_cert_plugin.py b/tests/test_xmlrpc/test_cert_plugin.py
index 906d1977a..508e9141a 100644
--- a/tests/test_xmlrpc/test_cert_plugin.py
+++ b/tests/test_xmlrpc/test_cert_plugin.py
@@ -17,7 +17,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
-Test the `ipalib/plugins/cert.py` module against the selfsign plugin.
+Test the `ipalib/plugins/cert.py` module against a RA.
"""
import sys
@@ -57,7 +57,7 @@ def is_db_configured():
# To test against Apache directly then no changes are required. Just be
# sure the xmlrpc_uri in ~/.ipa/default.conf points to Apache.
#
-# To test against a selfsign or dogtag CA in the lite-server:
+# To test against Dogtag CA in the lite-server:
#
# - Copy the 3 NSS db files from /etc/httpd/alias to ~/.ipa/alias
# - Copy /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd.