diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 11:26:20 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 17:24:01 -0500 |
commit | e4470f8165242fba6c5ce477a2eeca0141891701 (patch) | |
tree | 01b9fa763a36cce597c7bc045badcd02fe29523c /ipaserver/install/certs.py | |
parent | 2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff) | |
download | freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip |
User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
Diffstat (limited to 'ipaserver/install/certs.py')
-rw-r--r-- | ipaserver/install/certs.py | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index a1dffff24..6e7eb82d1 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -173,7 +173,7 @@ def next_replica(serial_file=CA_SERIALNO): return str(serial) class CertDB(object): - def __init__(self, nssdir, fstore=None, host_name=None): + def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None): self.secdir = nssdir self.noise_fname = self.secdir + "/noise.txt" @@ -189,13 +189,14 @@ class CertDB(object): self.certreq_fname = None self.certder_fname = None self.host_name = host_name + self.cwd = os.getcwd() self.self_signed_ca = ipa_self_signed() - if self.self_signed_ca: - self.subject_format = "CN=%s,ou=test-ipa,O=IPA" + if subject_base: + self.subject_format = "CN=%%s,%s" % subject_base else: - self.subject_format = "CN=%s,OU=pki-ipa,O=IPA" + self.subject_format = "CN=%s,O=IPA" self.cacert_name = "CA certificate" self.valid_months = "120" @@ -218,6 +219,10 @@ class CertDB(object): def __del__(self): if self.reqdir is not None: shutil.rmtree(self.reqdir, ignore_errors=True) + try: + os.chdir(self.cwd) + except: + pass def setup_cert_request(self): """ @@ -234,6 +239,10 @@ class CertDB(object): self.certreq_fname = self.reqdir + "/tmpcertreq" self.certder_fname = self.reqdir + "/tmpcert.der" + # When certutil makes a request it creates a file in the cwd, make + # sure we are in a unique place when this happens + os.chdir(self.reqdir) + def set_serial_from_pkcs12(self): """A CA cert was loaded from a PKCS#12 file. Set up our serial file""" @@ -584,6 +593,9 @@ class CertDB(object): doc.unlink() conn.close() + # base64-decode the result + cert = base64.b64decode(cert) + # Write the certificate to a file. It will be imported in a later # step. f = open(cert_fname, "w") @@ -670,6 +682,9 @@ class CertDB(object): doc.unlink() conn.close() + # base64-decode the cert + cert = base64.b64decode(cert) + f = open(cert_fname, "w") f.write(cert) f.close() @@ -684,8 +699,6 @@ class CertDB(object): "-t", "u,u,u", "-i", cert_fname, "-f", self.passwd_fname] - if not self.self_signed_ca: - args.append("-a") self.run_certutil(args) def create_pin_file(self): |