Re: [Pki-devel] [PATCH] 236 - fix installation of subca with own security domain

Revised patch attached. In the last patch, I had added code that would have registered the subCA as a member of the super-CA security domain. This introduced a problem in removing that entry from the super-CA when the system was pkidestroyed. Its also changes the existing behavior and is not the right thing to do. This patch corrects all that, and thereby resolves the pkidestroy problem. Please review, Ade On Mon, 2014-09-29 at 13:20 -0400, Ade Lee wrote: > This fixes issue 1132 and allows pkispawn to successfully install a > subCA that hosts its own security domain. > > This was, in retrospect, a lot harder than I thought it was going to be. > Prior to this patch, we simply did not support this configuration with > pkispawn. > > Two new parameters are introduced: > pki_subordinate_create_new_security_domain=False > pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain > > See man pages for correct usage. > > There is only one issue left. When removing the subca using pkidestroy, > removing the entry from the master security domain currently fails due > to authentication. I'll fix that in the next patch. > > This is tricky stuff so please review carefully. > > Thanks. > Ade