Discussion:
[Freeipa-devel] [freeipa PR#798][opened] [4.5] install: fix CA-less PKINIT
HonzaCholasta
2017-05-19 07:56:37 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/798
Author: HonzaCholasta
Title: #798: [4.5] install: fix CA-less PKINIT
Action: opened

PR body:
"""
**certdb: add named trust flag constants**

Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

**certdb, certs: make trust flags argument mandatory**

Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

**certdb: use custom object for trust flags**

Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

**install: trust IPA CA for PKINIT**

Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

**client install: fix client PKINIT configuration**

Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

**server install: fix KDC PKINIT configuration**

Make sure `cacert.pem` contains only certificates of CAs trusted to issue
PKINIT client certificates and is exported in all installation code paths.

Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

**certs: do not export CA certs in install_pem_from_p12**

This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.

**server install: fix KDC certificate validation in CA-less**

Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

**cacert manage: support PKINIT**

Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

**server certinstall: support PKINIT**

Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/798/head:pr798
git checkout pr798
stlaz
2017-05-19 08:28:30 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/798
Title: #798: [4.5] install: fix CA-less PKINIT

Label: +ack
MartinBasti
2017-05-19 10:35:19 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/798
Title: #798: [4.5] install: fix CA-less PKINIT

Label: +pushed
MartinBasti
2017-05-19 10:35:21 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/798
Title: #798: [4.5] install: fix CA-less PKINIT

MartinBasti commented:
"""
ipa-4-5:

* 6338dbe47313a70b93bbf53855db451145d24544 certdb: add named trust flag constants
* 749d504f4335c375cf86bf44814177f03be61b52 certdb, certs: make trust flags argument mandatory
* e68812331526269f3b556c339f65077f649110d3 certdb: use custom object for trust flags
* 16b295c5a8580accfbbab016f3cc4eef0a704163 install: trust IPA CA for PKINIT
* 63c4cbd619f81f16e0c08d3786b69d348c9dcfd7 client install: fix client PKINIT configuration
* 523a82652e2f95704a07ac25cc829a0782b9e22a install: introduce generic Kerberos Augeas lens
* b83ebe0e3ff692de37f28834d09a423d04e6ad68 server install: fix KDC PKINIT configuration
* 5cf5395eb51ff5ec8164075a5ee573abe76bc15e ipapython.ipautil.run: Add option to set umask before executing command
* e6497f099c09dfa60bd6ae98e4692e99b7381752 certs: do not export keys world-readable in install_key_from_p12
* bc8deb118dce93fc380793c75090d9108ce61541 certs: do not export CA certs in install_pem_from_p12
* cbdf6693cc8707dda9c1db42fb05dc5b1d70b7af server install: fix KDC certificate validation in CA-less
* 77ef29ef30086c714025d97328507bd51e3f0421 replica install: respect --pkinit-cert-file
* 6f900ec60a426a2b97823d4612949a953fa6d49b cacert manage: support PKINIT
* e27b3e139ffff16f6e238ef6f9ff7d2ed02492bc server certinstall: support PKINIT


"""

See the full comment at https://github.com/freeipa/freeipa/pull/798#issuecomment-302669425
MartinBasti
2017-05-19 10:35:22 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/798
Author: HonzaCholasta
Title: #798: [4.5] install: fix CA-less PKINIT
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/798/head:pr798
git checkout pr798

Loading...