#5257 revert to use ldapi to add kra agent in KRA install
Closed: Fixed None Opened 8 years ago by jcholast.

CA admin certificate is required for KRA install, which won't work if the certificate is expired.

KRA install should be modify to use the old method which added the KRA agent directly by using ldapi.


From relevant mail discussion:

To automatically renew the cert, it should be enough to:

 1. after CA install, import ca-agent.p12 file into a private NSS database and remove it
 2. track the certificate in the private NSS database with certmonger

When the cert/private key is needed somewhere, it can be exported to a temporary file.

In IRC discussion it was decided to revert to use the old code that added the kra agent directly - therefore changing the title and description.

In the future PKI will provide tools to add the KRA agent user and configure the cert mapping via LDAPI (https://fedorahosted.org/pki/ticket/1574) and IPA should use that instead.

freeipa-edewata-0377-Using-LDAPI-to-setup-CA-and-KRA-agents.patch
freeipa-edewata-0377-Using-LDAPI-to-setup-CA-and-KRA-agents.patch

master:

  • 72cfcfa Using LDAPI to setup CA and KRA agents.

ipa-4-2:

  • 3973da5 Using LDAPI to setup CA and KRA agents.

Metadata Update from @jcholast:
- Issue assigned to edewata
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata