freeipa/ipaserver
Fraser Tweedale 769180c2c6 Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.

To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given.  Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.

As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.

Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-29 21:47:14 +11:00
..
advise smartcard: make the ipa-advise script compatible with authselect/authconfig 2019-11-08 12:57:54 +01:00
dnssec Add ODS manager abstraction to ipaplatform 2019-04-24 14:08:20 +02:00
install Do not renew externally-signed CA as self-signed 2020-01-29 21:47:14 +11:00
plugins ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output 2020-01-06 09:42:21 -05:00
secrets NSSWrappedCertDB: accept optional symmetric algorithm 2019-09-25 12:42:06 +10:00
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
dcerpc_common.py Py3: Replace six.text_type with str 2018-09-27 16:11:18 +02:00
dcerpc.py Fix get_trusted_domain_object_from_sid() 2019-12-12 09:58:16 +01:00
dns_data_management.py Removed unnecessary imports after code review. 2019-09-27 09:38:32 +02:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
masters.py Add hidden replica feature 2019-03-28 17:57:58 +01:00
p11helper.py Add PKCS#11 module name to p11helper errors 2019-07-25 15:16:33 -04:00
rpcserver.py AD user without override receive InternalServerError with API 2020-01-10 17:07:57 +01:00
servroles.py Consider configured servers as valid 2019-04-29 16:51:40 +02:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
topology.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00