12:20 p.m.
This fixes issue 1132 and allows pkispawn to successfully install a
subCA that hosts its own security domain.
This was, in retrospect, a lot harder than I thought it was going to be.
Prior to this patch, we simply did not support this configuration with
pkispawn.
Two new parameters are introduced:
pki_subordinate_create_new_security_domain=False
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
See man pages for correct usage.
There is only one issue left. When removing the subca using pkidestroy,
removing the entry from the master security domain currently fails due
to authentication. I'll fix that in the next patch.
This is tricky stuff so please review carefully.
Thanks.
Ade
10:27 a.m.
Revised patch attached.
In the last patch, I had added code that would have registered the subCA
as a member of the super-CA security domain. This introduced a problem
in removing that entry from the super-CA when the system was
pkidestroyed. Its also changes the existing behavior and is not the
right thing to do.
This patch corrects all that, and thereby resolves the pkidestroy
problem.
Please review,
Ade
On Mon, 2014-09-29 at 13:20 -0400, Ade Lee wrote:
This fixes issue 1132 and allows pkispawn to successfully install a
subCA that hosts its own security domain.
This was, in retrospect, a lot harder than I thought it was going to be.
Prior to this patch, we simply did not support this configuration with
pkispawn.
Two new parameters are introduced:
pki_subordinate_create_new_security_domain=False
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
See man pages for correct usage.
There is only one issue left. When removing the subca using pkidestroy,
removing the entry from the master security domain currently fails due
to authentication. I'll fix that in the next patch.
This is tricky stuff so please review carefully.
Thanks.
Ade
11:11 a.m.
New version attached with Endi's suggested changes.
Please review,
Thanks.
Ade
On Tue, 2014-09-30 at 11:27 -0400, Ade Lee wrote:
Revised patch attached.
In the last patch, I had added code that would have registered the subCA
as a member of the super-CA security domain. This introduced a problem
in removing that entry from the super-CA when the system was
pkidestroyed. Its also changes the existing behavior and is not the
right thing to do.
This patch corrects all that, and thereby resolves the pkidestroy
problem.
Please review,
Ade
On Mon, 2014-09-29 at 13:20 -0400, Ade Lee wrote:
> This fixes issue 1132 and allows pkispawn to successfully install a
> subCA that hosts its own security domain.
>
> This was, in retrospect, a lot harder than I thought it was going to be.
> Prior to this patch, we simply did not support this configuration with
> pkispawn.
>
> Two new parameters are introduced:
> pki_subordinate_create_new_security_domain=False
> pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security
Domain
>
> See man pages for correct usage.
>
> There is only one issue left. When removing the subca using pkidestroy,
> removing the entry from the master security domain currently fails due
> to authentication. I'll fix that in the next patch.
>
> This is tricky stuff so please review carefully.
>
> Thanks.
> Ade
11:44 a.m.
ACKed by Endi. Pushed to master.
On Wed, 2014-10-01 at 12:11 -0400, Ade Lee wrote:
New version attached with Endi's suggested changes.
Please review,
Thanks.
Ade
On Tue, 2014-09-30 at 11:27 -0400, Ade Lee wrote:
> Revised patch attached.
>
> In the last patch, I had added code that would have registered the subCA
> as a member of the super-CA security domain. This introduced a problem
> in removing that entry from the super-CA when the system was
> pkidestroyed. Its also changes the existing behavior and is not the
> right thing to do.
>
> This patch corrects all that, and thereby resolves the pkidestroy
> problem.
>
> Please review,
> Ade
>
> On Mon, 2014-09-29 at 13:20 -0400, Ade Lee wrote:
> > This fixes issue 1132 and allows pkispawn to successfully install a
> > subCA that hosts its own security domain.
> >
> > This was, in retrospect, a lot harder than I thought it was going to be.
> > Prior to this patch, we simply did not support this configuration with
> > pkispawn.
> >
> > Two new parameters are introduced:
> > pki_subordinate_create_new_security_domain=False
> > pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate
Security Domain
> >
> > See man pages for correct usage.
> >
> > There is only one issue left. When removing the subca using pkidestroy,
> > removing the entry from the master security domain currently fails due
> > to authentication. I'll fix that in the next patch.
> >
> > This is tricky stuff so please review carefully.
> >
> > Thanks.
> > Ade
>
4051
days inactive
4053
days old
3 comments
1 participants
participants (1)
-
Ade Lee