Bug 1371927 - Implement ca-enable/disable commands.
Summary: Implement ca-enable/disable commands.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-31 12:45 UTC by Martin Bašti 🖰
Modified: 2017-08-01 09:39 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:39:54 UTC
Target Upstream Version:


Attachments (Terms of Use)
console.log (6.14 KB, text/plain)
2017-05-31 07:41 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Bašti 🖰 2016-08-31 12:45:07 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6257

Per discussion in #6220, add ca-enable and ca-disable commands.

The behaviour already exists in Dogtag; only needs to be exposed via IPA.

Note that ca-del must be updated to handle the case of target CA already
being disabled.

Comment 1 Fraser Tweedale 2016-09-05 16:46:19 UTC
Currently, admins have no way to wholesale disable a CA, i.e. to
prevent it issuing new certificates with the possibility of
re-enabling it at a later time, and ensuring that certificates issued
by the CA can still be managed by FreeIPA.

There is currently no way to do this.  A similar but limited
outcome can be achieved by removing the CA from all CA ACLs but this
has a variable - possibly very high - administrative overhead.

Comment 2 Martin Babinsky 2016-09-07 10:39:31 UTC
master:
* c7e0dbc4e174d0bb7577de18cdb2f414f4199c57 Add ca-disable and ca-enable commands
ipa-4-4:
* b037e54e457d731cd16144df7573f4c85d79368a Add ca-disable and ca-enable commands

Comment 5 Abhijeet Kasurde 2017-05-31 07:40:33 UTC
Verified using IPA and PKI version ::

ipa-server-4.5.0-14.el7.x86_64
pki-server-10.4.1-7.el7.noarch

Marking BZ as verified. See attachment for console log.

Comment 6 Abhijeet Kasurde 2017-05-31 07:41:04 UTC
Created attachment 1283632 [details]
console.log

Comment 7 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.