diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-07-17 11:47:26 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 044c5c833a83a541f97785279acfe8e113035b3d (patch) | |
| tree | f2f0dcabd1c2754a9e07060acf919cb0cdf9437b /ipaserver | |
| parent | 03b29b4c8e4109bbfbc1468baa60b521bc32cdb1 (diff) | |
| download | freeipa-044c5c833a83a541f97785279acfe8e113035b3d.tar.gz freeipa-044c5c833a83a541f97785279acfe8e113035b3d.tar.xz freeipa-044c5c833a83a541f97785279acfe8e113035b3d.zip | |
Enable NSS PKIX certificate path discovery and validation for Dogtag.
Part of https://fedorahosted.org/freeipa/ticket/3737
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1d1e9a01c..b64588c0f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -457,6 +457,7 @@ class CAInstance(service.Service): self.step("stopping certificate server instance to update CS.cfg", self.__stop) self.step("disabling nonces", self.__disable_nonce) self.step("set up CRL publishing", self.__enable_crl_publish) + self.step("enable PKIX certificate path discovery and validation", self.enable_pkix) self.step("starting certificate server instance", self.__start) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. @@ -807,6 +808,11 @@ class CAInstance(service.Service): os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid) + def enable_pkix(self): + installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH, + 'NSS_ENABLE_PKIX_VERIFY', '1', + quotes=False, separator='=') + def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted (admin_fd, admin_name) = tempfile.mkstemp() |