freeipa/install/certmonger
Fraser Tweedale 769180c2c6 Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.

To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given.  Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.

As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.

Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-29 21:47:14 +11:00
..
dogtag-ipa-ca-renew-agent-submit.in Do not renew externally-signed CA as self-signed 2020-01-29 21:47:14 +11:00
ipa-server-guard.in Skip lock and fork in ipa-server-guard on unsupported ops 2019-09-06 10:29:43 -04:00
Makefile.am Generate scripts from templates 2018-08-23 14:49:06 +02:00