4b55136 Do not renew externally-signed CA as self-signed

Authored and Committed by ftweedal 4 years ago
    Do not renew externally-signed CA as self-signed
    
    Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
    prevented migration from externally-signed to self-signed IPA CA.
    But it introduced a subtle new issue: certmonger-initiated renewal
    renews an externally-signed IPA CA as a self-signed CA.
    
    To resolve this issue, introduce the `--force-self-signed' flag for
    the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
    definition that calls this script with the `--force-self-signed'
    flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
    CA certificate if the existing certificate is self-signed or if
    `--force-self-signed' was given.  Update `ipa-cacert-manage renew'
    to supply `--force-self-signed' when appropriate.
    
    As a result of these changes, certmonger-initiated renewal of an
    externally-signed IPA CA certificate will not issue a self-signed
    certificate.
    
    Fixes: https://pagure.io/freeipa/issue/8176
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    
        
file modified
+1 -0