diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-04-08 10:20:00 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-04-11 13:50:35 +0200 |
commit | b25080bbca1d30c80ab8db4b8cca42cd85146a82 (patch) | |
tree | 0896e15659429edf1b87de4161dd0812e733e4cd /ipaserver | |
parent | 74abb432fb35ce222fd2a9b954557080cad63bf4 (diff) | |
download | freeipa-b25080bbca1d30c80ab8db4b8cca42cd85146a82.tar.gz freeipa-b25080bbca1d30c80ab8db4b8cca42cd85146a82.tar.xz freeipa-b25080bbca1d30c80ab8db4b8cca42cd85146a82.zip |
Use only one URL for OCSP and CRL in IPA certificate profile.
https://fedorahosted.org/freeipa/ticket/3552
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 59 |
1 files changed, 14 insertions, 45 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 6bf22dbfc..3476b2c85 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1271,17 +1271,18 @@ class CAInstance(service.Service): changed = False # OCSP extension + ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)) + ocsp_location_0 = installutils.get_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', separator='=') - if not ocsp_location_0: + if ocsp_location_0 != ocsp_url: # Set the first OCSP URI installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - 'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)), - quotes=False, separator='=') + ocsp_url, quotes=False, separator='=') changed = True ocsp_profile_count = installutils.get_directive( @@ -1289,34 +1290,22 @@ class CAInstance(service.Service): 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', separator='=') - if ocsp_profile_count == '1': - # add the second OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1', - 'true', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1', - 'URIName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1', - 'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn), - quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1', - '1.3.6.1.5.5.7.48.1', quotes=False, separator='=') + if ocsp_profile_count != '1': installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '2', quotes=False, separator='=') + '1', quotes=False, separator='=') changed = True # CRL extension - crl_issuer_0 = installutils.get_directive( + crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)) + + crl_point_0 = installutils.get_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', + 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', separator='=') - if not crl_issuer_0: + if crl_point_0 != crl_url: installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') @@ -1325,8 +1314,7 @@ class CAInstance(service.Service): 'DirectoryName', quotes=False, separator='=') installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - 'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)), - quotes=False, separator='=') + crl_url, quotes=False, separator='=') changed = True crl_profile_count = installutils.get_directive( @@ -1334,29 +1322,10 @@ class CAInstance(service.Service): 'policyset.serverCertSet.9.default.params.crlDistPointsNum', separator='=') - if crl_profile_count == '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1', - 'true', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1', - 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn), - quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1', - 'URIName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1', - '', quotes=False, separator='=') + if crl_profile_count != '1': installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '2', quotes=False, separator='=') + '1', quotes=False, separator='=') changed = True # CRL extension is not enabled by default |