diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 11:26:20 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 17:24:01 -0500 |
| commit | e4470f8165242fba6c5ce477a2eeca0141891701 (patch) | |
| tree | 01b9fa763a36cce597c7bc045badcd02fe29523c /install/tools/ipa-replica-install | |
| parent | 2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff) | |
| download | freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip | |
User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
Diffstat (limited to 'install/tools/ipa-replica-install')
| -rwxr-xr-x | install/tools/ipa-replica-install | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 766957862..7131d6b76 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -48,6 +48,7 @@ class ReplicaConfig: self.host_name = "" self.repl_password = "" self.dir = "" + self.subject_base = "O=IPA" def parse_options(): from optparse import OptionParser @@ -106,6 +107,7 @@ def read_info(dir, rconfig): rconfig.ds_user = config.get("realm", "ds_user") rconfig.domain_name = config.get("realm", "domain_name") rconfig.host_name = config.get("realm", "destination_host") + rconfig.subject_base = config.get("realm", "subject_base") def get_host_name(): hostname = installutils.get_fqdn() @@ -150,9 +152,8 @@ def install_ca(config): cs = cainstance.CADSInstance() cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) - ca = cainstance.CAInstance() - ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name) + ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base) return ca @@ -346,6 +347,8 @@ def main(): CA.import_ra_cert(dir + "/ra.p12") CA.fix_ra_perms() service.restart("httpd") + service.print_msg("Setting the certificate subject base") + CA.set_subject_in_config(util.realm_to_suffix(config.realm_name)) # The DS instance is created before the keytab, add the SSL cert we # generated @@ -370,6 +373,7 @@ def main(): service.restart("dirsrv") service.restart("krb5kdc") + service.restart("httpd") if options.setup_dns: api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", |