HonzaCholasta
2017-05-19 07:56:37 UTC
URL: https://github.com/freeipa/freeipa/pull/798
Author: HonzaCholasta
Title: #798: [4.5] install: fix CA-less PKINIT
Action: opened
PR body:
"""
**certdb: add named trust flag constants**
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
**certdb, certs: make trust flags argument mandatory**
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.
**certdb: use custom object for trust flags**
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
**install: trust IPA CA for PKINIT**
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.
**client install: fix client PKINIT configuration**
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
**server install: fix KDC PKINIT configuration**
Make sure `cacert.pem` contains only certificates of CAs trusted to issue
PKINIT client certificates and is exported in all installation code paths.
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
**certs: do not export CA certs in install_pem_from_p12**
This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.
**server install: fix KDC certificate validation in CA-less**
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.
**cacert manage: support PKINIT**
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.
**server certinstall: support PKINIT**
Allow replacing the KDC certificate.
https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/798/head:pr798
git checkout pr798
Author: HonzaCholasta
Title: #798: [4.5] install: fix CA-less PKINIT
Action: opened
PR body:
"""
**certdb: add named trust flag constants**
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
**certdb, certs: make trust flags argument mandatory**
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.
**certdb: use custom object for trust flags**
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
**install: trust IPA CA for PKINIT**
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.
**client install: fix client PKINIT configuration**
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
**server install: fix KDC PKINIT configuration**
Make sure `cacert.pem` contains only certificates of CAs trusted to issue
PKINIT client certificates and is exported in all installation code paths.
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
**certs: do not export CA certs in install_pem_from_p12**
This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.
**server install: fix KDC certificate validation in CA-less**
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.
**cacert manage: support PKINIT**
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.
**server certinstall: support PKINIT**
Allow replacing the KDC certificate.
https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/798/head:pr798
git checkout pr798