freeipa/ipaserver/install
Rob Crittenden beaa0562dc Add support for Random Serial Numbers v3
Dogtag has implemented a new random serial number scheme
they are calling RSNv3.

https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3

Given the known issues reported this will be supported in IPA for
new installations only.

There is no mixing of random servers and non-random servers
allowed.

Instructions for installing a CA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc

Instructions for installing a KRA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installig-KRA-with-Random-Serial-Numbers-v3.adoc

The version of random serial numbers is stored within the CA entry
of the server. It is stored as a version to allow for future upgrades.

If a CA has RSN enabled then any KRA installed will also have it
enabled for its identifiers.

A new attribute, ipaCaRandomSerialNumberVersion, is added to the IPA CA
entry to track the version number in case PKI has future major
revisions. This can also be used to determine if RSN is enabled or not.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
..
plugins ipatests: extend AES keyset to SHA2-based ones 2022-03-08 12:54:47 +01:00
server Configure and enable the graceperiod plugin on upgrades 2022-06-02 15:24:22 -04:00
__init__.py Remove __all__ specifications in ipaclient and ipaserver.install 2013-09-06 15:42:33 +02:00
adtrust.py adtrust install: define constants for rid bases 2021-11-02 10:11:28 +01:00
adtrustinstance.py SMB: switch IPA domain controller role 2021-11-10 15:00:27 -05:00
bindinstance.py LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
ca.py Add support for Random Serial Numbers v3 2022-06-09 08:35:15 +02:00
cainstance.py Add support for Random Serial Numbers v3 2022-06-09 08:35:15 +02:00
certs.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
conncheck.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
custodiainstance.py pylint: Fix unused-private-member 2022-03-11 13:37:08 -05:00
dns.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
dnskeysyncinstance.py dnskeysyncinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
dogtag.py Verify pki ini override early 2019-04-10 13:43:23 +02:00
dogtaginstance.py pylint: Fix consider-using-dict-items 2022-03-11 13:37:08 -05:00
dsinstance.py Configure and enable the graceperiod plugin on upgrades 2022-06-02 15:24:22 -04:00
httpinstance.py Enable the ccache sweep timer during installation 2022-02-09 10:41:56 -05:00
installutils.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_acme_manage.py ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints 2020-11-17 18:48:24 +02:00
ipa_backup.py BIND: Setup logging 2021-05-25 10:45:49 +03:00
ipa_cacert_manage.py ipa-cacert-manage: add prune option 2021-02-12 14:08:11 -05:00
ipa_cert_fix.py ipa-cert-fix man page: add note about certmonger renewal 2021-06-10 20:59:27 +02:00
ipa_crlgen_manage.py CRL generation master: new utility to enable|disable 2019-03-14 09:39:55 +01:00
ipa_kra_install.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa_ldap_updater.py Remove -s option from ipa-ldap-updater usage 2021-05-20 14:45:27 -04:00
ipa_otptoken_import.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_pkinit_manage.py Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server 2021-06-17 17:28:48 -04:00
ipa_replica_install.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_restore.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_server_certinstall.py Require an ipa-ca SAN on 3rd party certs if ACME is enabled 2020-11-02 14:01:05 -05:00
ipa_server_install.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_server_upgrade.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipa_subids.py pylint: Fix arguments-renamed 2022-03-11 13:37:08 -05:00
ipa_trust_enable_agent.py ipa-adtrust-install: run remote configuration for new agents 2020-03-05 14:40:58 +01:00
ipa_winsync_migrate.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipactl.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
kra.py ipa-kra-install: exit if ca_host is overriden 2021-07-27 13:27:36 +02:00
krainstance.py Add support for Random Serial Numbers v3 2022-06-09 08:35:15 +02:00
krbinstance.py Kerberos instance: default to AES256-SHA2 for master key encryption 2022-03-16 11:14:35 +02:00
ldapupdate.py pylint: Fix unused-variable 2022-03-11 13:37:08 -05:00
odsexporterinstance.py odsexporterinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
opendnssecinstance.py opendnssecinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
otpdinstance.py Enable pylint missing-final-newline check 2015-12-23 07:59:22 +01:00
replication.py Exclude passwordgraceusertime from replication 2022-05-30 17:24:22 +03:00
schemaupdate.py Unify access to FQDN 2020-10-26 17:11:19 +11:00
service.py LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
sysupgrade.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
upgradeinstance.py Use get_replication_plugin_name in LDAP updater 2021-06-21 10:58:02 +02:00