diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-11-19 10:32:28 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-12-07 11:00:17 -0500 |
| commit | 867f7691e9e8d4dc101d227ca56a94f9b947897f (patch) | |
| tree | dcd1529b6a530091bdb1f446b34bf71bae3836a9 /install/tools/ipa-ca-install | |
| parent | 0d836cd6ee9d7b29808cbf36582eed71a5b6a32a (diff) | |
| download | freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.gz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.xz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.zip | |
Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
Diffstat (limited to 'install/tools/ipa-ca-install')
| -rwxr-xr-x | install/tools/ipa-ca-install | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index aefcee8e5..f8f7e1d5d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -31,17 +31,17 @@ from ipaserver.install import certs from ipaserver.install.installutils import HostnameLocalhost from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info from ipaserver.install.installutils import get_host_name, BadHostError -from ipaserver.install import dsinstance, cainstance +from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version from ipalib import api, util +from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipapython import sysrestore from ipapython import dogtag from ipapython.ipa_log_manager import * log_file_name = "/var/log/ipareplica-ca-install.log" -CACERT = "/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR = None def parse_options(): @@ -74,6 +74,22 @@ def parse_options(): def get_dirman_password(): return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) +def install_dns_records(config, options): + + if not bindinstance.dns_container_exists(config.master_host_name, + ipautil.realm_to_suffix(config.realm_name), + dm_password=config.dirman_password): + return + + bind = bindinstance.BindInstance(dm_password=config.dirman_password) + try: + api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=config.dirman_password) + bind.add_ipa_ca_cname(config.host_name, config.domain_name) + finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() + def main(): safe_options, options, filename = parse_options() @@ -176,6 +192,9 @@ def main(): CA.enable_client_auth_to_db() CA.restart() + # Install CA DNS records + install_dns_records(config, options) + # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) |