Bug 1001665

Summary: [RFE] Clean up ipa-server-certinstall CLI options
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: ksiddiqu, pviktori, rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.1-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:02:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitri Pal 2013-08-27 13:31:24 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3869

The CLI options for ipa-server-certinstall are not ideal. We should:

* Add a `--pin` option that replaces `--dirsrv_pin` (used with `-d`) and `--http_pin` (used with `-w`; `-d` and `-w` are mutually exclusive). The old options will remain as deprecated aliases.

* Add a `-p, --dirman-password` option to specify the directory manager password (necessary for replacing the DS cert).

* Mention in the usage string that 
 * a PKCS#``12 cert argument is required
 * either `-d` or `-w` is required

ipa-server-certinstall is now being rewritten for #3641, the change can be included in that devel effort.
Comment 1 Petr Viktorin 2013-08-28 08:28:22 UTC 
Fixed upstream
master: https://fedorahosted.org/freeipa/changeset/3c9261699a79bffcb6362aeb03dec36ed588f81e
ipa-3-3: https://fedorahosted.org/freeipa/changeset/220f6f69b6f6c109a4e46018553529b74453a02c
Comment 2 Kaleem 2014-01-08 12:55:53 UTC 
Verified.

IPA Version:
============
--------[RPMs & OS: [RHEL-7.0-20131222.0 - x86_64]-------
|       ipa-admintools-3.3.3-6.el7.x86_64
|       ipa-client-3.3.3-6.el7.x86_64
|       ipa-server-3.3.3-6.el7.x86_64
|       sssd-ipa-1.11.2-15.el7.x86_64
---------------------------------------------------------

Snippet from automation log:
===========================

(1)New options "--pin" and "--dirman-password" working fine.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipatests-test_integration-test_caless-TestCertinstall-test_http_san: Install new HTTP certificate with SAN
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] PUT /root/ipatests/server.p12
:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] RUN ['ipa-server-certinstall', '-w', 'server.p12', '--pin', 'Secret123']
:: [   PASS   ] :: Test succeeded 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipatests-test_integration-test_caless-TestCertinstall-test_http_san: Install new HTTP certificate with SAN

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipatests-test_integration-test_caless-TestCertinstall-test_ds_san: Install new DS certificate with SAN
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] PUT /root/ipatests/server.p12
:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] RUN ['ipa-server-certinstall', '-d', 'server.p12', '--pin', 'Secret123', '--dirman-password', 'Secret123']
:: [   PASS   ] :: Test succeeded 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipatests-test_integration-test_caless-TestCertinstall-test_ds_san: Install new DS certificate with SAN


(2)Also old options ( --http_pin and --dirsrv_pin ) still works.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipatests-test_integration-test_caless-TestCertinstall-test_http_old_options: Install new valid DS certificate using pre-v3.3 CLI options
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] PUT /root/ipatests/server.p12
:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] RUN ['ipa-server-certinstall', '-w', 'server.p12', '--http_pin', 'Secret123']
:: [   PASS   ] :: Test succeeded 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipatests-test_integration-test_caless-TestCertinstall-test_http_old_options: Install new valid DS certificate using pre-v3.3 CLI options

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipatests-test_integration-test_caless-TestCertinstall-test_ds_old_options: Install new valid DS certificate using pre-v3.3 CLI options
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] PUT /root/ipatests/server.p12
:: [   INFO   ] :: [ipa.ipatests.test_integration.host.Host.ibm-ls21-04.OpenSSHTransport] RUN ['ipa-server-certinstall', '-d', 'server.p12', '--dirsrv_pin', 'Secret123']
:: [   PASS   ] :: Test succeeded 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipatests-test_integration-test_caless-TestCertinstall-test_ds_old_options: Install new valid DS certificate using pre-v3.3 CLI options
Comment 4 Ludek Smid 2014-06-13 11:02:54 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.