provide option for ca-less drm install

[pki-bot]

This issue was migrated from Pagure Issue #667. Originally filed by vakwetu (@vakwetu) on 2013-06-24 19:40:06:

• Closed as Fixed
• Assigned to mharmsen (@mharmsen)

---

There have been calls for being able to install KRA using external CA.
This includes CA-less IPA installation and storage of secrets, and possible integration with CloudKeep.

We need to figure out how to do this.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2013-08-15 00:45:56

Per discussions with Christina and Ade, I simply created a standalone CA (to act as the external CA), and then created a standalone KRA without running the automatic configuration.

Once I started the GUI configuration on the KRA, I was immediately blocked by the third panel "Security Domain" because although it contains a radio button for "Create a New Security Domain", this button is basically non-selectable for subsystems other than a CA, so this will probably be the starting point to see if we can add a third option of "Use an External CA".

Additionally, there is a NOTE on this panel that reads:

Since a Security Domain MUST be a CA (although all CAs are NOT necessarily
Security Domains), an appropriate value for this URL may be obtained by
logging into the machine which hosts the desired Security Domain CA as
'root' and running the command
"/usr/bin/pkicontrol status ca pki-tomcatd@pki-tomcat.service"
from the command-line.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2013-08-31 01:49:31

Due to the relative size of this effort, I have broken this ticket into two parts:

• Phase I: Installation via 'pkispawn' and configuration via manual GUI panels in a Firefox browser
• Phase II: Installation and configuration via 'pkispawn' and the REST interface

[pki-bot]

Comment from mharmsen (@mharmsen) at 2013-08-31 01:58:31

Patch which addresses Phase I: Installation using 'pkispawn' and manually configuration using the GUI panel interface via a Firefox browser
20130830-Stand-alone-DRM-manual-GUI-configuration-only.patch

[pki-bot]

Comment from mharmsen (@mharmsen) at 2013-09-10 00:19:59

In recent discussions, the following was determined:

• a security domain is required (to allow for cloning)
• the current use cases reflect using the pkispawn RESTFUL interface rather than the legacy GUI browser interface

As a consequence of this, much of the attached patch has been rendered un-usable, and a design document has been created and placed at:

• http://pki.fedoraproject.org/wiki/Stand-alone_PKI_Subsystems

NOTE:  This task's design/implementation phases have been revised and
       are currently documented in the design document.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2013-10-16 03:06:08

F20 patch for Stand-alone DRM
20131015-Stand-alone-DRM.patch

[pki-bot]

Comment from mharmsen (@mharmsen) at 2013-10-16 03:07:47

Checked into 'master':

• 47c77a6

[pki-bot]

Comment from vakwetu (@vakwetu) at 2017-02-27 14:11:54

Metadata Update from @vakwetu:

• Issue assigned to mharmsen
• Issue set to the milestone: 10.1 - 10/13 (October)