Issue #4480: Make external CA chain installer options more usable - freeipa

freeipa

#4480 Make external CA chain installer options more usable

Closed: Fixed None Opened 9 years ago by jcholast.

CA installation should be as straightforward as possible, many users stump on that.

Make the options more usable, at least:

Currently we support only PEM certificate files. PKCS#7 is a common format for certificate chains, we should support it as well.
Improve validator to catch certificate without an extension (details in comment:2).

mkosek commented 9 years ago

Related (private) Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1111320

pviktori commented 9 years ago

We also need to beef up our validation.

When I made a mistake signing the request, and didn't add any extensions to it, the installation crashed with IndexError as in #4397.

pviktori commented 9 years ago

Reproducer for comment 2 (If necessary, adjust the IP addresses, hostnames, etc. to fit your environment.)
index-error-reproducer.sh

mkosek commented 9 years ago

This a stretch goal for 4.1.

mkosek commented 9 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=886645 (Red Hat Enterprise Linux 7)

mkosek commented 9 years ago

master:

60ecba7 Add NSSDatabase.import_files method for importing files in various formats
3aa0731 External CA installer options usability fixes
8808388 CA-less installer options usability fixes
3cde7e9 Allow choosing CA-less server certificates by name
83cbfa8 Do stricter validation of CA certificates

ipa-4-1:

b93bdb7 Add NSSDatabase.import_files method for importing files in various formats
6136a3e External CA installer options usability fixes
a29ee45 CA-less installer options usability fixes
01623f7 Allow choosing CA-less server certificates by name
0c4d7da Do stricter validation of CA certificates

mkosek commented 9 years ago

master:

2421b13 Fix ImportError in ipa-ca-install

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1

7 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.1

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Installation

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

pviktori

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=886645

tester

None

changelog

None

design

http://www.freeipa.org/page/V4/Installer_CA_options_usability_improvements

freeipa

Source Code

#4480 Make external CA chain installer options more usable Closed: Fixed None Opened 9 years ago by jcholast.

Metadata

#4480 Make external CA chain installer options more usable

Closed: Fixed None Opened 9 years ago by jcholast.