freeipa

Clone
Source Code
GIT

#4457 Clarify documentation of CA-less install, make --root-ca-file optional
Closed: Fixed None Opened 9 years ago by jcholast.

Closed: Fixed
Reopen Issue

People get all sorts of wrong ideas from the current documentation, like that the CA chain length must be 2, when in fact it can be any length and that the file specified in --root-ca-file must contain the whole CA chain, when in fact it must contain only the CA cert to be trusted by IPA.

With a certificate chain like CA -> subCA1 -> subCA2 -> server in the PKCS#12 file, the CA trusted by IPA must be subCA2 (which is what "certificate chain length must be 2" means) and the file specified in --root-ca-file must contain only the certificate for subCA2 (the root of trust for IPA, not the root CA cert).

Since which CA is trusted by IPA is not really configurable, make --root-ca-file optional if the CA certificate is present in the PKCS#12 file.

Replying to [ticket:4457 jcholast]:

With a certificate chain like CA -> subCA1 -> subCA2 -> server in the PKCS#12 file, the CA trusted by IPA must be subCA2 (which is what "certificate chain length must be 2" means) and the file specified in --root-ca-file must contain only the certificate for subCA2 (the root of trust for IPA, not the root CA cert).

IMO this was supposed to be a temporary limitation, wasn't it? I don't recall now why we don't allow longer chains, but we should eventually support them. And when we do, --root-ca-file will be needed again, so people's scripts will break.

Replying to [comment:1 pviktori]:

Replying to [ticket:4457 jcholast]:

With a certificate chain like CA -> subCA1 -> subCA2 -> server in the PKCS#12 file, the CA trusted by IPA must be subCA2 (which is what "certificate chain length must be 2" means) and the file specified in --root-ca-file must contain only the certificate for subCA2 (the root of trust for IPA, not the root CA cert).

IMO this was supposed to be a temporary limitation, wasn't it? I don't recall now why we don't allow longer chains, but we should eventually support them. And when we do, --root-ca-file will be needed again, so people's scripts will break.

Longer chains do not make sense. The CA certificate which issued the server certificates in the PKCS#12 files must be trusted, so that the server certificates are considered valid. If you trust a CA certificate deeper in the chain, the server certificates will not be considered valid and the server will not work properly.

The limitation was that there can be only one trusted CA certificate. This will be removed in 4.1.

We need to be very careful about the right wording. Before concluding, please run the final wording also by dpal, he would like to help with review.

master:

  • 6ad8c46 Make CA-less ipa-server-install option --root-ca-file optional.

ipa-4-0:

  • 063cd77 Add new NSSDatabase method get_cert for getting certs from NSS databases.
  • 7c690d7 Make CA-less ipa-server-install option --root-ca-file optional.

ipa-4-1:

  • be65682 Make CA-less ipa-server-install option --root-ca-file optional.

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.0.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1112767
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.