Be more clear about selfsign option

Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
2025-02-25 18:55:28 -06:00 · 2011-10-03 12:30:34 +02:00
parent 48a67d9a2e
commit 28603e0c3a
2 changed files with 13 additions and 5 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -141,8 +141,6 @@ def parse_options():
    parser.add_option_group(basic_group)

    cert_group = OptionGroup(parser, "certificate system options")
-    cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true",
-                      default=False, help="Configure a self-signed CA instance rather than a dogtag CA")
    cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
                      default=False, help="Generate a CSR to be signed by an external CA")
    cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
@@ -166,6 +164,9 @@ def parse_options():
    cert_group.add_option("--subject", action="callback", callback=subject_callback,
                      type="string",
                      help="The certificate subject base (default O=<realm-name>)")
+    cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true",
+                      default=False, help="Configure a self-signed CA instance rather than a dogtag CA. " \
+                      "WARNING: Certificate management capabilities will be limited")
    parser.add_option_group(cert_group)

    dns_group = OptionGroup(parser, "DNS options")
@@ -667,6 +668,11 @@ def main():
    print "This program will set up the FreeIPA Server."
    print ""
    print "This includes:"
+    if options.selfsign:
+        print "  * Configure NSS to handle a self-signed CA"
+        print "    WARNING: certificate management capabilities will be limited"
+    else:
+        print "  * Configure a stand-alone CA (dogtag) for certificate management"
    if options.conf_ntp:
        print "  * Configure the Network Time Daemon (ntpd)"
    print "  * Create and configure an instance of Directory Server"
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -72,9 +72,6 @@ An unattended installation that will never prompt for user input

 .SS "CERTIFICATE SYSTEM OPTIONS"
 .TP
-\fB\-\-selfsign\fR
-Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates
-.TP
 \fB\-\-external\-ca\fR
 Generate a CSR to be signed by an external CA
 .TP
@@ -107,6 +104,11 @@ The password of the Kerberos KDC PKCS#12 file
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
 The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-selfsign\fR
+Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates.
+
+WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later.

 .SS "DNS OPTIONS"
 .TP