#5608 [RFE] Add Dogtag configuration extensions
Closed: fixed a year ago by rcritten. Opened 8 years ago by mkosek.

Dogtag supports HSM for the CA keys. Update FreeIPA installers and management interface to support this configuration, rather than only supporting Dogtag with keys in NSS databases.


  • [pspacek] we might want to do the same for DNSSEC at the same time, configuration options and user interface will be similar
  • mbasti: then DNSSEC will need CA to be installed, how it will cooperate with ca-less instalation
  • [pspacek] No, I mean that user interface needed for configuring HSM is the same - same options with same meaning etc. So it could make sense to do both at the same time.
  • RHCS itself and NSS supports HSM, it is not integrated in our installer.
  • mkosek: currently 4.6? considereation (i.e. Future Releases), unless it is something very easy to do.
  • HSM configuration in OpenDNSSEC, for example, is ~ 5 lines in configuration file.

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Metadata Update from @cheimes:
- Issue assigned to cheimes (was: someone)
- Issue close_status updated to: None

4 years ago

master:

  • 8c4d75f Add current default.cfg from Dogtag
  • 0a2b02f Simplify and slim down ipaca_default.ini
  • 70becca Add IPA specific vars to ipaca_default.ini
  • f847d77 Use new pki_ipaca.ini to spawn instances
  • dd47cfc Add pki.ini override option
  • 9493742 Simplify and consolidate ipaca.ini
  • dba8971 Verify pki ini override early
  • 42efdc7 Add test case for pki config override
  • 2b2c5d6 Add --pki-config-override to man pages

For future reference: https://github.com/freeipa/freeipa/pull/3023 is an abandoned backport to 4.7 branch. We decided to keep the changes in master / 4.8 for now.

Metadata Update from @cheimes:
- Issue set to the milestone: FreeIPA 4.8 (was: Future Releases)

4 years ago

master:

  • dd58a70 Fix and extend pki config override test

master:

  • 8686cd3 Pass token_name to certmonger

master:

  • 130e1dc move MSCSTemplate classes to ipalib
  • 21a9a71 install: fix --external-ca-profile option
  • 7171142 Fix use of incorrect variable
  • b15bd50 Add more tests for --external-ca-profile handling
  • 80e76f0 Collapse --external-ca-profile tests into single class
  • 2c8352f ci: add --external-ca-profile tests to nightly
  • 33f39d8 ci: add --external-ca-profile tests to gating

ipa-4-8:

  • d0d29cc move MSCSTemplate classes to ipalib
  • e632b22 install: fix --external-ca-profile option
  • 71af731 Fix use of incorrect variable
  • 83ed057 Add more tests for --external-ca-profile handling
  • a627df8 Collapse --external-ca-profile tests into single class
  • 740964c ci: add --external-ca-profile tests to nightly
  • 011c528 ci: add --external-ca-profile tests to gating

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

master:

  • 076d955 Store HSM token and state

master:

  • bebe09f Fix ca_initialize_hsm_state

ipa-4-8:

  • f98c9f2 Fix ca_initialize_hsm_state

Metadata Update from @rcritten:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue status updated to: Open (was: Closed)

a year ago

Re-opening to track additional changes needed for full HSM support.

On second thought, I'll create a new ticket. This isn't about general HSM support but the override file.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata