2 files changed, 47 insertions, 7 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cb2164c0c..4ed718a9b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -211,14 +211,15 @@ def upgrade_pki(fstore):
 
     This requires enabling SSL renegotiation.
     """
+    configured_constants = dogtag.configured_constants()
     root_logger.info('[Verifying that CA proxy configuration is correct]')
-    if not os.path.exists('/etc/pki-ca/CS.cfg'):
+    if not os.path.exists(configured_constants.CS_CFG_PATH):
         root_logger.debug('No CA detected in /etc/pki-ca')
         return
 
     http = httpinstance.HTTPInstance(fstore)
     http.enable_mod_nss_renegotiate()
-    if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+    if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists('/usr/bin/pki-setup-proxy'):
         ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
@@ -285,17 +286,24 @@ def cleanup_kdc(fstore):
 def upgrade_ipa_profile(ca):
     """
     Update the IPA Profile provided by dogtag
+
+    Returns True if restart is needed, False otherwise.
     """
     root_logger.info('[Verifying that CA service certificate profile is updated]')
     if ca.is_configured():
-        if ca.enable_subject_key_identifier():
-            root_logger.debug('Subject Key Identifier updated, restarting CA')
-            ca.restart()
+        ski = ca.enable_subject_key_identifier()
+        if ski:
+            root_logger.debug('Subject Key Identifier updated.')
         else:
             root_logger.debug('Subject Key Identifier already set.')
+        audit = ca.set_audit_renewal()
+        if audit or ski:
+            return True
     else:
         root_logger.debug('CA is not configured')
 
+    return False
+
 def upgrade_httpd_selinux(fstore):
     """
     Update SElinux configuration for httpd instance in the same way as the
@@ -609,14 +617,13 @@ def main():
         pass
 
     cleanup_kdc(fstore)
-    upgrade_ipa_profile(ca)
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     if changed_psearch or changed_autoincrement:
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bindinstance.BindInstance(fstore).restart()
-    ca_restart = ca_restart or enable_certificate_renewal(ca)
+    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
 
     if ca_restart:
         root_logger.info('pki-ca configuration changed, restart pki-ca')
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c37c261f2..a64fe6f03 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -562,6 +562,7 @@ class CAInstance(service.Service):
             self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("set certificate subject base", self.__set_subject_in_config)
             self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
+            self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
             self.step("configuring certificate server to start on boot", self.__enable)
             if not self.clone:
                 self.step("restarting certificate server", self.__restart_instance)
@@ -1420,6 +1421,38 @@ class CAInstance(service.Service):
         # No update was done
         return False
 
+    def set_audit_renewal(self):
+        """
+        The default renewal time for the audit signing certificate is
+        six months rather than two years. Fix it. This is BZ 843979.
+        """
+        # Check the default validity period of the audit signing cert
+        # and set it to 2 years if it is 6 months.
+        range = installutils.get_directive(
+            '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+            'policyset.caLogSigningSet.2.default.params.range',
+            separator='='
+        )
+        root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range)
+        if range == "180":
+            installutils.set_directive(
+                '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+                'policyset.caLogSigningSet.2.default.params.range',
+                '720',
+                quotes=False,
+                separator='='
+            )
+            installutils.set_directive(
+                '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+                'policyset.caLogSigningSet.2.constraint.params.range',
+                '720',
+                quotes=False,
+                separator='='
+            )
+            root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720')
+            return True
+        return False
+
     def is_master(self):
         """
         There are some tasks that are only done on a single dogtag master.