IPA Development

From Dogtag
Jump to: navigation, search


$ dnf copr enable mkosek/freeipa-master
$ yum-builddep -y freeipa.spec

See also:

Spec File

See freeipa.spec.in:

# Require Dogtag PKI 10.6.1 with Python 3 and SQL NSSDB fixes for external
# CA support, https://bugzilla.redhat.com/show_bug.cgi?id=1573094
%global pki_version 10.6.1

BuildRequires: python3-pki >= %{pki_version}

# jss is an indirect dependency. 4.4.5 fixes sub CA replication bug,
# see https://pagure.io/freeipa/issue/7536
# see https://pagure.io/freeipa/issue/7590
Requires: jss >= 4.4.5-1

Requires: pki-ca >= %{pki_version}
Requires: pki-kra >= %{pki_version}
Requires: python3-pki >= %{pki_version}


The installation code is located in the following files:

  • ipaserver/install/cainstance.py
  • ipaserver/install/dogtaginstance.py
  • ipaserver/install/krainstance.py


The CA and KRA backend code is located in the following file:

  • ipaserver/plugins/dogtag.py

Password Vault

The vault code is stored in the following files:

Certificate Renewal

The renewal code is stored in the following files:


During cloning, the certificates and keys are transfered to the replica with the following procedure:

  • A temporary NSSDB is created
  • Replica downloads PKCS#12 files for the following certificates:
    • caSigningCert cert-pki-ca
    • ocspSigningCert cert-pki-ca
    • auditSigningCert cert-pki-ca
    • subsystemCert cert-pki-ca
  • The PKCS#12 files are imported with pk12util into the temporary NSSDB
  • All IPA CA certs are imported into the temporary NSS DB as well
  • The temporary NSSDB is exported into one PKCS#12 file with PKCS12Export

See also ipaserver/install/custodiainstance.py.