mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
0708f603e2
This script deletes all CA certificates so a new chain can be loaded. It identified CA certs by those that did not have private keys. This change adds the ca_flags test in as well. It is probably sufficient on its own but it is left for compatibility. An HSM-based NSS database when not accessing it with the token will not contain the private keys so removing all certificates without a private key will remove certificates that it shouldn't. The NSS softoken stores the certifcate trust so the certificates will be visible but they lack private keys because those reside in the HSM. Therefore deleting any certificate without a private key removed nearly everything. Preserve the nickname 'caSigningCert cert-pki-ca'. The certstore uses the nickame format '{REALM} IPA CA' and will replace the PKI-named key if we don't act to preserve it. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> |
||
---|---|---|
.. | ||
certmonger | ||
custodia | ||
html | ||
migration | ||
oddjob | ||
restart_scripts | ||
share | ||
tools | ||
ui | ||
updates | ||
wsgi | ||
Makefile.am | ||
README.schema |
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.