[Backport][ipa-4-7] Add PKI config override option #3023
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
base/server/etc/default.cfg from commit dogtagpki/pki@b931834 Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* Remove internal stuff from DEFAULT section * Remove all non-user modifiable paths * Remove OCSP, RA, TKS, TPS sections * Remove deprecated options and replace them with current options Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Common settings like "pki_*_signing_key_algorithm" now use an IPA specific template variable. The approach makes it easier to change all signing parameters to use a different algorithm. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Note: Some configuration stanzas are deprecated and have been replaced with new stanzas, e.g. pki_cert_chain_path instead of pki_external_ca_cert_chain_path. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
tiran
added
WIP
ipa-server-install now verifies the pki ini override file earlier Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Install CA with 4096bit RSA key and SHA-384 signature. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Mention the new option in the man pages for CA, KRA, replica, and server installation. The documentation must be improved once we have figured out which options are going to be supported. Fixes: pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
tiran
force-pushed
the
backport_pr2976_ipa-4-7
branch
from
81f38c3
to
2a9e95a
Compare
|
LGTM. |
freeipa-pr-ci
added
the
needs rebase
tiran
added
rejected
|
PKI installer improvements and HSM related changes won't be backported to 4.7 for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport of PR #2976
Add an option to override CA and KRA settings passed to pkispawn. The feature allows users to change key size, signature algorithm, and other parameters. It's a prerequisite for HSM support.
The patchset also simplifies and improves how IPA creates the pki.ini files that gets passed to pkispawn.
See pagure.io/freeipa/issue/5608