2:56 a.m.
URL: https://github.com/freeipa/freeipa/pull/798
Author: HonzaCholasta
Title: #798: [4.5] install: fix CA-less PKINIT
Action: opened
PR body:
"""
**certdb: add named trust flag constants**
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
**certdb, certs: make trust flags argument mandatory**
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.
**certdb: use custom object for trust flags**
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
**install: trust IPA CA for PKINIT**
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.
**client install: fix client PKINIT configuration**
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
**server install: fix KDC PKINIT configuration**
Make sure `cacert.pem` contains only certificates of CAs trusted to issue
PKINIT client certificates and is exported in all installation code paths.
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
**certs: do not export CA certs in install_pem_from_p12**
This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.
**server install: fix KDC certificate validation in CA-less**
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.
**cacert manage: support PKINIT**
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.
**server certinstall: support PKINIT**
Allow replacing the KDC certificate.
https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/798/head:pr798
git checkout pr798
3:28 a.m.
New subject: [freeipa PR#798][+ack] [4.5] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/798
Title: #798: [4.5] install: fix CA-less PKINIT
Label: +ack
5:35 a.m.
New subject: [freeipa PR#798][+pushed] [4.5] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/798
Title: #798: [4.5] install: fix CA-less PKINIT
Label: +pushed
5:35 a.m.
New subject: [freeipa PR#798][comment] [4.5] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/798
Title: #798: [4.5] install: fix CA-less PKINIT
MartinBasti commented:
"""
ipa-4-5:
* 6338dbe47313a70b93bbf53855db451145d24544 certdb: add named trust flag constants
* 749d504f4335c375cf86bf44814177f03be61b52 certdb, certs: make trust flags argument
mandatory
* e68812331526269f3b556c339f65077f649110d3 certdb: use custom object for trust flags
* 16b295c5a8580accfbbab016f3cc4eef0a704163 install: trust IPA CA for PKINIT
* 63c4cbd619f81f16e0c08d3786b69d348c9dcfd7 client install: fix client PKINIT
configuration
* 523a82652e2f95704a07ac25cc829a0782b9e22a install: introduce generic Kerberos Augeas
lens
* b83ebe0e3ff692de37f28834d09a423d04e6ad68 server install: fix KDC PKINIT configuration
* 5cf5395eb51ff5ec8164075a5ee573abe76bc15e ipapython.ipautil.run: Add option to set umask
before executing command
* e6497f099c09dfa60bd6ae98e4692e99b7381752 certs: do not export keys world-readable in
install_key_from_p12
* bc8deb118dce93fc380793c75090d9108ce61541 certs: do not export CA certs in
install_pem_from_p12
* cbdf6693cc8707dda9c1db42fb05dc5b1d70b7af server install: fix KDC certificate validation
in CA-less
* 77ef29ef30086c714025d97328507bd51e3f0421 replica install: respect --pkinit-cert-file
* 6f900ec60a426a2b97823d4612949a953fa6d49b cacert manage: support PKINIT
* e27b3e139ffff16f6e238ef6f9ff7d2ed02492bc server certinstall: support PKINIT
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/798#issuecomment-302669425
5:35 a.m.
New subject: [freeipa PR#798][closed] [4.5] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/798
Author: HonzaCholasta
Title: #798: [4.5] install: fix CA-less PKINIT
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/798/head:pr798
git checkout pr798
2532
days inactive
2532
days old
freeipa-devel@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
HonzaCholasta -
MartinBasti
-
stlaz