Track CA certificate using dogtag-ipa-ca-renew-agent.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-03-12 11:33:18 +0100
committer: Petr Viktorin <pviktori@redhat.com> 2014-07-30 16:04:21 +0200
commit: 2f6990c256bc04389a9653094bc15bb94832bffa (patch)
tree: ae85b49307f2c6b4d5ece5bcaabc72662f99970b /ipaserver
parent: 9393c3978e1dc2beaa88331db1f30021c44f526b (diff)
download: freeipa-2f6990c256bc04389a9653094bc15bb94832bffa.tar.gz
freeipa-2f6990c256bc04389a9653094bc15bb94832bffa.tar.xz
freeipa-2f6990c256bc04389a9653094bc15bb94832bffa.zip
1 files changed, 13 insertions, 7 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 03aec9571..f0aef7558 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -312,9 +312,10 @@ def stop_tracking_certificates(dogtag_constants):
     cmonger.start()
 
     for nickname in ['Server-Cert cert-pki-ca',
-                        'auditSigningCert cert-pki-ca',
-                        'ocspSigningCert cert-pki-ca',
-                        'subsystemCert cert-pki-ca']:
+                     'auditSigningCert cert-pki-ca',
+                     'ocspSigningCert cert-pki-ca',
+                     'subsystemCert cert-pki-ca',
+                     'caSigningCert cert-pki-ca']:
         try:
             certmonger.stop_tracking(
                 dogtag_constants.ALIAS_DIR, nickname=nickname)
@@ -1437,12 +1438,16 @@ class CAInstance(service.Service):
                 'Unable to determine PIN for CA instance: %s' % e)
 
     def configure_renewal(self):
+        reqs = (
+            ('auditSigningCert cert-pki-ca', None),
+            ('ocspSigningCert cert-pki-ca',  None),
+            ('subsystemCert cert-pki-ca',    None),
+            ('caSigningCert cert-pki-ca',    'ipaCACertRenewal'),
+        )
         pin = self.__get_ca_pin()
 
         # Server-Cert cert-pki-ca is renewed per-server
-        for nickname in ['auditSigningCert cert-pki-ca',
-                         'ocspSigningCert cert-pki-ca',
-                         'subsystemCert cert-pki-ca']:
+        for nickname, profile in reqs:
             try:
                 certmonger.dogtag_start_tracking(
                     ca='dogtag-ipa-ca-renew-agent',
@@ -1451,7 +1456,8 @@ class CAInstance(service.Service):
                     pinfile=None,
                     secdir=self.dogtag_constants.ALIAS_DIR,
                     pre_command='stop_pkicad',
-                    post_command='renew_ca_cert "%s"' % nickname)
+                    post_command='renew_ca_cert "%s"' % nickname,
+                    profile=profile)
             except (ipautil.CalledProcessError, RuntimeError), e:
                 root_logger.error(
                     "certmonger failed to start tracking certificate: %s" % e)
author	Jan Cholasta <jcholast@redhat.com>	2014-03-12 11:33:18 +0100
committer	Petr Viktorin <pviktori@redhat.com>	2014-07-30 16:04:21 +0200
commit	2f6990c256bc04389a9653094bc15bb94832bffa (patch)
tree	ae85b49307f2c6b4d5ece5bcaabc72662f99970b /ipaserver
parent	9393c3978e1dc2beaa88331db1f30021c44f526b (diff)
download	freeipa-2f6990c256bc04389a9653094bc15bb94832bffa.tar.gz freeipa-2f6990c256bc04389a9653094bc15bb94832bffa.tar.xz freeipa-2f6990c256bc04389a9653094bc15bb94832bffa.zip