freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Author	SHA1	Message	Date
Jan Cholasta	d27e77adc5	Allow upgrading CA-less to CA-full using ipa-ca-install. Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	8bbdfff102	Allow adding CA certificates to certificate store in ipa-cacert-manage. Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	1b8a1e5564	Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert. Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	18aa3216e0	Allow changing chaining of the IPA CA certificate in ipa-cacert-manage. Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	f39c6ee544	Add new NSSDatabase method get_cert for getting certs from NSS databases. Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	987bf3fbf0	Allow multiple CA certificates in replica info files. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	f1e186d7d8	Export full CA chain to /etc/ipa/ca.crt in ipa-server-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	60e19b585c	Add client certificate update tool ipa-certupdate. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	2b7a7c356c	Get up-to-date CA certificates from certificate store in ipa-replica-install. Previously it used CA certificate from the replica info file directly. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	55d3bab57b	Get CA certs for system-wide store from cert store in ipa-client-install. All of the certificates and associated key policy are now stored in /etc/pki/ca-trust/source/ipa.p11-kit. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	24932b2d91	Add functions for DER encoding certificate extensions to ipalib.x509. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	b5471a9f3e	Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	eaebefe5f6	Allow overriding NSS database path in RPCClient. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	459d6cff4e	Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	6870eb909e	Add function for writing list of certificates to a PEM file to ipalib.x509. Also rename load_certificate_chain_from_file to load_certificate_list_from_file. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	fd400588d7	Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	29f42cbec1	Refactor CA certificate fetching code in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	9e223e6fd4	Upload renewed CA cert to certificate store on renewal. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	6f01499419	Import CA certs from certificate store to HTTP NSS database on server install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	82d682fa64	Import CA certs from certificate store to DS NSS database on replica install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	88706c5674	Add new add_cert method for adding certificates to NSSDatabase and CertDB. Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and remove add_single_pem_cert. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	feecdb4cdc	Rename CertDB method add_cert to import_cert. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	5f29a71bd7	Upload CA chain from DS NSS database to certificate store on server update. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	05212a17a9	Upload CA chain from DS NSS database to certificate store on server install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	de695e688e	Add certificate store module ipalib.certstore. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	239ef955af	Add function for extracting extended key usage from certs to ipalib.x509. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	4ae3f815ba	Add functions for extracting certificates fields in DER to ipalib.x509. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	586373cf07	Add permissions for certificate store. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	fd80cc1c59	Configure attribute uniqueness for certificate store. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	1c612ad3e1	Add container for certificate store. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	25c10bc161	Add LDAP schema for certificate store. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	61f166da5d	Add LDAP schema for wrapped cryptographic keys. This is part of the schema at <http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema>. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	d2bf0b8b54	Fix trust flags in HTTP and DS NSS databases. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	9d4eeeda55	Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	a8a44c1c71	Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall. This is a no longer used nickname for CA certificate on CA-less server installs. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	52f72ec058	Do not treat the IPA RA cert as CA cert in DS NSS database. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	1778f0ebc9	Allow IPA master hosts to read and update IPA master information. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	61159b7ff2	Check that renewed certificates coming from LDAP are actually renewed. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	7086183519	Do not use ldapi in certificate renewal scripts. This prevents SELinux denials when accessing the ldapi socket. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	e16d2623ae	Remove master ACIs when deleting a replica. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	d1386be4d5	Pick new CA renewal master when deleting a replica. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	baa665fe40	Load sysupgrade.state on demand. This prevents SELinux denials when the sysupgrade module is imported in a confined process. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	031096324d	Alert user when externally signed CA is about to expire. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	ba3c7b4a89	Add CA certificate management tool ipa-cacert-manage. Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	2870db7913	Add permissions for CA certificate renewal. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	031b281921	Add method for verifying CA certificates to NSSDatabase. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	2c43a3d0d5	Move external cert validation from ipa-server-install to installutils. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	2109d6611b	Provide additional functions to ipapython.certmonger. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	9e188574a5	Add method for setting CA renewal master in LDAP to CAInstance. Allow checking and setting CA renewal master for non-local CA instances. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	2f6990c256	Track CA certificate using dogtag-ipa-ca-renew-agent. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00

1 2 3 4 5 ...

7381 Commits