diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-12-05 14:34:14 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-06-24 12:10:01 +0200 |
commit | e675e427c713e41a5384d329bf453a998a70bb13 (patch) | |
tree | 87777bc5c1bade858d4956382cded2285e00e6ec | |
parent | 61eeea9e69483d5afbdefebcf068dac06749313f (diff) | |
download | freeipa-e675e427c713e41a5384d329bf453a998a70bb13.tar.gz freeipa-e675e427c713e41a5384d329bf453a998a70bb13.tar.xz freeipa-e675e427c713e41a5384d329bf453a998a70bb13.zip |
Allow SAN in IPA certificate profile.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | install/tools/ipa-upgradeconfig | 7 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 51 |
2 files changed, 57 insertions, 1 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 99dfbdf9d..688e17872 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -330,9 +330,14 @@ def upgrade_ipa_profile(ca, domain, fqdn): root_logger.debug('Subject Key Identifier updated.') else: root_logger.debug('Subject Key Identifier already set.') + san = ca.enable_subject_alternative_name() + if san: + root_logger.debug('Subject Alternative Name updated.') + else: + root_logger.debug('Subject Alternative Name already set.') audit = ca.set_audit_renewal() uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or uri: + if audit or ski or san or uri: return True else: root_logger.info('CA is not configured') diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b5c6cdcde..b13a77d58 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -464,6 +464,7 @@ class CAInstance(service.Service): self.step("setting up signing cert profile", self.__setup_sign_profile) self.step("set certificate subject base", self.__set_subject_in_config) self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) + self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("configuring certificate server to start on boot", self.__enable) @@ -1198,6 +1199,8 @@ class CAInstance(service.Service): new_set_list = '1,2,3,4,5,6,7,8,9' elif setlist == '1,2,3,4,5,6,7,8,10': new_set_list = '1,2,3,4,5,6,7,8,9,10' + elif setlist == '1,2,3,4,5,6,7,8,10,11': + new_set_list = '1,2,3,4,5,6,7,8,9,10,11' if new_set_list: installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, @@ -1513,6 +1516,54 @@ class CAInstance(service.Service): # No update was done return False + def enable_subject_alternative_name(self): + """ + See if Subject Alternative Name is set in the profile and if not, add + it. + """ + setlist = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', separator='=') + + # this is the default setting from pki-ca/pki-tomcat. Don't touch it + # if a user has manually modified it. + if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': + setlist = setlist + ',11' + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', + setlist, + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.constraint.class_id', + 'noConstraintImpl', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.constraint.name', + 'No Constraint', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.default.class_id', + 'userExtensionDefaultImpl', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.default.name', + 'User Supplied Extension Default', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.default.params.userExtOID', + '2.5.29.17', + quotes=False, separator='=') + return True + + # No update was done + return False + def set_audit_renewal(self): """ The default renewal time for the audit signing certificate is |