diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 11:25:27 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-10-09 17:51:13 +0200 |
| commit | eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1 (patch) | |
| tree | bfe257a221d8b922723fcc13c572311e0e8f7f8d /ipaserver | |
| parent | 96decfea26a1ca977aa81456e46e0590dde1f861 (diff) | |
| download | freeipa-eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1.tar.gz freeipa-eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1.tar.xz freeipa-eb79f5c955d80b6f6e1522d9d0206c9678b2b9e1.zip | |
Set renewal time for the CA audit certificate to 720 days.
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.
https://fedorahosted.org/freeipa/ticket/2951
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c37c261f2..a64fe6f03 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -562,6 +562,7 @@ class CAInstance(service.Service): self.step("set up CRL publishing", self.__enable_crl_publish) self.step("set certificate subject base", self.__set_subject_in_config) self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) + self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("configuring certificate server to start on boot", self.__enable) if not self.clone: self.step("restarting certificate server", self.__restart_instance) @@ -1420,6 +1421,38 @@ class CAInstance(service.Service): # No update was done return False + def set_audit_renewal(self): + """ + The default renewal time for the audit signing certificate is + six months rather than two years. Fix it. This is BZ 843979. + """ + # Check the default validity period of the audit signing cert + # and set it to 2 years if it is 6 months. + range = installutils.get_directive( + '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + 'policyset.caLogSigningSet.2.default.params.range', + separator='=' + ) + root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range) + if range == "180": + installutils.set_directive( + '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + 'policyset.caLogSigningSet.2.default.params.range', + '720', + quotes=False, + separator='=' + ) + installutils.set_directive( + '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + 'policyset.caLogSigningSet.2.constraint.params.range', + '720', + quotes=False, + separator='=' + ) + root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720') + return True + return False + def is_master(self): """ There are some tasks that are only done on a single dogtag master. |