pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2013-08-13 21:27:33
Discuss this with the PKI team before proceeding with this ticket.
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2013-08-13 21:27:33
Discuss this with the PKI team before proceeding with this ticket.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2014-06-04 19:58:33
[06/04/2014] - Moving to Milestone 10.3 due to schedule restrictions.
pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2017-02-27 13:57:30
Metadata Update from @edewata:
This issue was migrated from Pagure Issue #565. Originally filed by edewata (@edewata) on 2013-03-22 07:05:14:
In many cases one person might be both the installer and the admin. When he runs pkispawn it will install the server, configure the server, and request a certificate for the admin user. As an admin he will likely need to use CLI to do administrative tasks.
Currently to request a certificate pkispawn creates a temporary database and then remove it when everything is done. If the admin later needs to use the CLI, he will need to manually create a new database and import the certificate. To simplify the process, it would be better to keep the database that was originally created to request the certificate.
Here are the proposed changes:
Keep the client database by default. The pki_client_database_purge parameter should be False by default, or be removed altogether.
To simplify things further, by default the client database should be stored in ~/.pki/nssdb. The certificate should have a unique name so it won't conflict with certificates for other instances. This way when using the CLI the admin won't need to specify the database path.
By default the client database password and PKCS 12 password will be made identical to the admin user password, so it's not necessary to specify them in the deployment configuration. If the certificate is to be stored in an existing database or PKCS 12, the pki_client_database_password and pki_client_pkcs12_password parameters can be used to specify their passwords.
The client password files (password.conf and pkcs12_password.conf) should be removed once pkispawn is done. This way it's more secure. If the admin needs to use the certificate database or the PKCS 12 file he would need to supply the password. Since the password files are temporary, the pki_client_password_conf and pki_client_pkcs12_password_conf parameters are not needed, pkispawn can generate temporary file names.
In the future the PKCS 12 file could be made optional once the CLI become mature enough and can provide all functionalities currently provided by Web UI.
We should also consider splitting pkispawn into separate tools for installer and admin in case they are different people. The installer should not need to deal with parameters for admin certificate or passwords.