3 files changed, 30 insertions, 0 deletions

diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad618f..5ee3eddb5 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 appdir = $(IPA_DATA_DIR)
 app_DATA =                              \
 	ipa.conf			\
+	ipa-pki-proxy.conf			\
 	ipa-rewrite.conf		\
 	$(NULL)
 
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
new file mode 100644
index 000000000..275f32645
--- /dev/null
+++ b/install/conf/ipa-pki-proxy.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient require
+    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 7bbba4b14..05a05dce9 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -36,6 +36,7 @@ from ipapython import version
 from ipalib import api, util
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
+from ipapython import ipautil
 
 CACERT="/etc/ipa/ca.crt"
 REPLICA_INFO_TOP_DIR=None
@@ -144,6 +145,9 @@ def main():
     cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
     cs.add_cert_to_service()
 
+    # We need to restart apache as we drop a new config file in there
+    ipautil.service_restart('httpd', '', True)
+
 try:
     if not os.geteuid()==0:
         sys.exit("\nYou must be root to run this script.\n")