Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
>From 2dc4882c3173c2b18c2958f39a93fda73c73a634 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Mon, 3 Oct 2011 12:30:34 +0200 Subject: [PATCH] Be more clear about selfsign option Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908 --- install/tools/ipa-server-install | 10 ++++++++-- install/tools/man/ipa-server-install.1 | 8 +++++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 504d6af50f70278864dacf44cac9e4bbc832e069..7d961cb872efa6ce65cbb737871e000497a852b4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -141,8 +141,6 @@ def parse_options(): parser.add_option_group(basic_group) cert_group = OptionGroup(parser, "certificate system options") - cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true", - default=False, help="Configure a self-signed CA instance rather than a dogtag CA") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR to be signed by an external CA") cert_group.add_option("", "--external_cert_file", dest="external_cert_file", @@ -166,6 +164,9 @@ def parse_options(): cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") + cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true", + default=False, help="Configure a self-signed CA instance rather than a dogtag CA. " \ + "WARNING: Certificate management capabilities will be limited") parser.add_option_group(cert_group) dns_group = OptionGroup(parser, "DNS options") @@ -667,6 +668,11 @@ def main(): print "This program will set up the FreeIPA Server." print "" print "This includes:" + if options.selfsign: + print " * Configure NSS to handle a self-signed CA" + print " WARNING: certificate management capabilities will be limited" + else: + print " * Configure a stand-alone CA (dogtag) for certificate management" if options.conf_ntp: print " * Configure the Network Time Daemon (ntpd)" print " * Create and configure an instance of Directory Server" diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 306fceb190c8af261bd9f580c2043f8a28fe86ba..f305723b1926851c007d0fd177e52baa51d927d6 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -71,9 +71,6 @@ An unattended installation that will never prompt for user input .SS "CERTIFICATE SYSTEM OPTIONS" .TP -\fB\-\-selfsign\fR -Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates -.TP \fB\-\-external\-ca\fR Generate a CSR to be signed by an external CA .TP @@ -106,6 +103,11 @@ The password of the Kerberos KDC PKCS#12 file .TP \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=REALM.NAME) +.TP +\fB\-\-selfsign\fR +Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates. + +WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later. .SS "DNS OPTIONS" .TP -- 1.7.6.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel