Re: [Pki-devel] [PATCH] 236 - fix installation of subca with own security domain
Revised patch attached.
In the last patch, I had added code that would have registered the subCA
as a member of the super-CA security domain. This introduced a problem
in removing that entry from the super-CA when the system was
pkidestroyed. Its also changes the existing behavior and is not the
right thing to do.
This patch corrects all that, and thereby resolves the pkidestroy
problem.
Please review,
Ade
On Mon, 2014-09-29 at 13:20 -0400, Ade Lee wrote:
This fixes issue 1132 and allows pkispawn to successfully install a
subCA that hosts its own security domain.
This was, in retrospect, a lot harder than I thought it was going to be.
Prior to this patch, we simply did not support this configuration with
pkispawn.
Two new parameters are introduced:
pki_subordinate_create_new_security_domain=False
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
See man pages for correct usage.
There is only one issue left. When removing the subca using pkidestroy,
removing the entry from the master security domain currently fails due
to authentication. I'll fix that in the next patch.
This is tricky stuff so please review carefully.
Thanks.
Ade
Attachments:
- pki-vakwetu-0236-1-Fix-sub-CA-installation-with-own-security-domain.patch (text/x-patch — 28.3 KB)