summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-11-01 13:51:14 -0400
committerSimo Sorce <ssorce@redhat.com>2010-11-18 15:09:31 -0500
commit74ba0cc7c1bdb9c560324a68c16593755bcda5d8 (patch)
tree13165adebe5ee440606b76e735e49787fb94657a /ipaserver
parent775fc23738d8a882bdd9cff9064b50594901e518 (diff)
downloadfreeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.zip
freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.tar.gz
freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.tar.xz
Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py16
-rw-r--r--ipaserver/install/certs.py15
-rw-r--r--ipaserver/install/dsinstance.py8
-rw-r--r--ipaserver/install/httpinstance.py14
-rw-r--r--ipaserver/plugins/selfsign.py5
5 files changed, 34 insertions, 24 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1998928..5f13b72 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -36,7 +36,7 @@ import urllib
import xml.dom.minidom
import stat
from ipapython import dogtag
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
from ipalib import pkcs10
import subprocess
@@ -365,8 +365,9 @@ class CAInstance(service.Service):
2 = have signed cert, continue installation
"""
- def __init__(self):
+ def __init__(self, realm):
service.Service.__init__(self, "pki-cad")
+ self.realm = realm
self.pki_user = "pkiuser"
self.dm_password = None
self.admin_password = None
@@ -382,7 +383,7 @@ class CAInstance(service.Service):
# The same database is used for mod_nss because the NSS context
# will already have been initialized by Apache by the time
# mod_python wants to do things.
- self.canickname = CA_NICKNAME
+ self.canickname = get_ca_nickname(realm)
self.basedn = "o=ipaca"
self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-")
self.ra_agent_db = "/etc/httpd/alias"
@@ -400,7 +401,7 @@ class CAInstance(service.Service):
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
- subject_base="O=IPA"):
+ subject_base=None):
"""Create a CA instance. This may involve creating the pki-ca instance
dogtag instance.
@@ -420,7 +421,10 @@ class CAInstance(service.Service):
if self.pkcs12_info is not None:
self.clone = True
self.master_host = master_host
- self.subject_base = subject_base
+ if subject_base is None:
+ self.subject_base = "O=%s" % self.realm
+ else:
+ self.subject_base = subject_base
# Determine if we are installing as an externally-signed CA and
# what stage we're in.
@@ -1000,5 +1004,5 @@ if __name__ == "__main__":
installutils.standard_logging_setup("install.log", False)
cs = CADSInstance()
cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
- ca = CAInstance()
+ ca = CAInstance("EXAMPLE.COM")
ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4f8b4e7..d4728b8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -33,7 +33,7 @@ from ipapython import dogtag
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import certmonger
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
from ipalib import pkcs10
from ConfigParser import RawConfigParser, MissingSectionHeaderError
import service
@@ -163,8 +163,9 @@ def next_replica(serial_file=CA_SERIALNO):
return str(serial)
class CertDB(object):
- def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None):
+ def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None):
self.secdir = nssdir
+ self.realm = realm
self.noise_fname = self.secdir + "/noise.txt"
self.passwd_fname = self.secdir + "/pwdfile.txt"
@@ -191,7 +192,7 @@ class CertDB(object):
else:
self.subject_format = "CN=%s,O=IPA"
- self.cacert_name = CA_NICKNAME
+ self.cacert_name = get_ca_nickname(self.realm)
self.valid_months = "120"
self.keysize = "1024"
@@ -345,10 +346,11 @@ class CertDB(object):
def create_ca_cert(self):
os.chdir(self.secdir)
+ subject = "cn=%s Certificate Authority" % self.realm
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-S", "-n", self.cacert_name,
- "-s", "cn=IPA Test Certificate Authority",
+ "-s", subject,
"-x",
"-t", "CT,,C",
"-1",
@@ -853,7 +855,10 @@ class CertDB(object):
else:
raise RuntimeError("unknown error import pkcs#12 file")
- def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=CA_NICKNAME):
+ def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
+ if nickname is None:
+ nickname = get_ca_nickname(api.env.realm)
+
ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
"-o", pkcs12_fname,
"-n", nickname,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 89613bc..48b6f55 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -404,7 +404,7 @@ class DsInstance(service.Service):
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
- dsdb = certs.CertDB(dirname, subject_base=self.subject_base)
+ dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
if self.pkcs12_info:
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
server_certs = dsdb.find_server_certs()
@@ -416,7 +416,7 @@ class DsInstance(service.Service):
self.dercert = dsdb.get_cert_from_db(nickname)
else:
nickname = "Server-Cert"
- cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
+ cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
if self.self_signed_ca:
cadb.create_self_signed()
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
@@ -529,7 +529,7 @@ class DsInstance(service.Service):
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = config_dirname(serverid)[:-1]
- dsdb = certs.CertDB(dirname)
+ dsdb = certs.CertDB(dirname, self.realm_name)
dsdb.untrack_server_cert("Server-Cert")
erase_ds_instance_data(serverid)
@@ -571,7 +571,7 @@ class DsInstance(service.Service):
self.stop()
dirname = config_dirname(realm_to_serverid(self.realm_name))
- certdb = certs.CertDB(dirname, subject_base=self.subject_base)
+ certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
if not cacert_name or len(cacert_name) == 0:
cacert_name = "Imported CA"
# we can't pass in the nickname, so we set the instance variable
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 13d7a66..f55995b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -30,7 +30,7 @@ import dsinstance
import installutils
from ipapython import sysrestore
from ipapython import ipautil
-from ipalib import util
+from ipalib import util, api
HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
@@ -164,10 +164,10 @@ class HTTPInstance(service.Service):
def __setup_ssl(self):
if self.self_signed_ca:
- ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+ ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
else:
- ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
- db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+ ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base)
+ db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
server_certs = db.find_server_certs()
@@ -223,7 +223,7 @@ class HTTPInstance(service.Service):
prefs_fd.close()
# The signing cert is generated in __setup_ssl
- db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+ db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
pwdfile = open(db.passwd_fname)
pwd = pwdfile.read()
@@ -238,7 +238,7 @@ class HTTPInstance(service.Service):
shutil.rmtree(tmpdir)
def __publish_ca_cert(self):
- ca_db = certs.CertDB(NSS_DIR)
+ ca_db = certs.CertDB(NSS_DIR, self.realm)
shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
os.chmod("/usr/share/ipa/html/ca.crt", 0444)
@@ -252,7 +252,7 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
- db = certs.CertDB(NSS_DIR)
+ db = certs.CertDB(NSS_DIR, api.env.realm)
db.untrack_server_cert("Server-Cert")
if not enabled is None and not enabled:
self.chkconfig_off()
diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py
index 9943f73..741fb0d 100644
--- a/ipaserver/plugins/selfsign.py
+++ b/ipaserver/plugins/selfsign.py
@@ -39,7 +39,7 @@ from ipalib import Backend
from ipalib import errors
from ipalib import x509
from ipalib import pkcs10
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
import subprocess
import os
import re
@@ -47,6 +47,7 @@ from ipaserver.plugins import rabase
from ipaserver.install import certs
import tempfile
from ipalib import _
+from ipalib import api
from ipalib.plugins.cert import get_csr_hostname
from nss.error import NSPRError
@@ -157,7 +158,7 @@ class ra(rabase.rabase):
"/usr/bin/certutil",
"-C",
"-d", self.sec_dir,
- "-c", CA_NICKNAME,
+ "-c", get_ca_nickname(api.env.realm),
"-i", csr_name,
"-o", cert_name,
"-m", str(serialno),