URL: https://github.com/freeipa/freeipa/pull/4172 Author: frasertweedale Title: #4172: [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed Action: opened
PR body: """ (manual backport of https://github.com/freeipa/freeipa/pull/4148)
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate.
Fixes: https://pagure.io/freeipa/issue/8176 Reviewed-By: Florence Blanc-Renaud frenaud@redhat.com """
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4172/head:pr4172 git checkout pr4172
URL: https://github.com/freeipa/freeipa/pull/4172 Author: frasertweedale Title: #4172: [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed Action: closed
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4172/head:pr4172 git checkout pr4172
freeipa-devel@lists.fedorahosted.org