diff options
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 97ba833be..47183bb22 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -46,7 +46,6 @@ from ipapython import nsslib from ipaserver.install import service from ipaserver.install import installutils -from ipaserver import ipaldap from ipaserver.install import dsinstance from ipalib import util @@ -414,7 +413,8 @@ class CAInstance(service.Service): def configure_instance(self, pki_user, host_name, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, - cert_file=None, cert_chain_file=None): + cert_file=None, cert_chain_file=None, + subject_base="O=IPA"): """Create a CA instance. This may involve creating the pki-ca instance dogtag instance. @@ -434,6 +434,7 @@ class CAInstance(service.Service): if self.pkcs12_info is not None: self.clone = True self.master_host = master_host + self.subject_base = subject_base # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -540,7 +541,7 @@ class CAInstance(service.Service): "-agent_name", "ipa-ca-agent", "-agent_key_size", "2048", "-agent_key_type", "rsa", - "-agent_cert_subject", "\"CN=ipa-ca-agent,O=" + self.domain_name + "\"", + "-agent_cert_subject", "\"CN=ipa-ca-agent,%s\"" % self.subject_base, "-ldap_host", self.host_name, "-ldap_port", str(self.ds_port), "-bind_dn", "\"cn=Directory Manager\"", @@ -553,11 +554,11 @@ class CAInstance(service.Service): "-backup_pwd", self.admin_password, "-subsystem_name", self.service_name, "-token_name", "internal", - "-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem Certificate,O=" + self.domain_name + "\"", - "-ca_ocsp_cert_subject_name", "\"CN=OCSP Signing Certificate,O=" + self.domain_name + "\"", - "-ca_server_cert_subject_name", "CN=" + self.host_name + ",O=" + self.domain_name, - "-ca_audit_signing_cert_subject_name", "\"CN=CA Audit Signing Certificate,O=" + self.domain_name + "\"", - "-ca_sign_cert_subject_name", "\"CN=Certificate Authority,O=" + self.domain_name + "\"" ] + "-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem,%s\"" % self.subject_base, + "-ca_ocsp_cert_subject_name", "\"CN=OCSP Subsystem,%s\"" % self.subject_base, + "-ca_server_cert_subject_name", "\"CN=%s,%s\"" % (self.host_name, self.subject_base), + "-ca_audit_signing_cert_subject_name", "\"CN=CA Audit,%s\"" % self.subject_base, + "-ca_sign_cert_subject_name", "\"CN=Certificate Authority,%s\"" % self.subject_base ] if self.external == 1: args.append("-external") args.append("true") @@ -770,7 +771,7 @@ class CAInstance(service.Service): ('usertype', "agentType"), ('userstate', "1"), ('userCertificate', decoded), - ('description', '2;%s;CN=Certificate Authority,O=%s;CN=RA Subsystem Certificate,OU=pki-ipa,O=%s' % (str(self.requestId), self.domain_name, self.domain_name)),] + ('description', '2;%s;CN=Certificate Authority,%s;CN=RA Subsystem,%s' % (str(self.requestId), self.subject_base, self.subject_base)),] ld.add_s(entry_dn, entry) @@ -886,7 +887,7 @@ class CAInstance(service.Service): # Generate our CSR. The result gets put into stdout try: - (stdout, stderr, returncode) = self.__run_certutil(["-R", "-k", "rsa", "-g", "2048", "-s", "CN=RA Subsystem Certificate,OU=pki-ipa,O=%s" % self.domain_name, "-z", noise_name, "-a"]) + (stdout, stderr, returncode) = self.__run_certutil(["-R", "-k", "rsa", "-g", "2048", "-s", "CN=RA Subsystem,%s" % self.subject_base, "-z", noise_name, "-a"]) finally: os.remove(noise_name) @@ -1000,6 +1001,13 @@ class CAInstance(service.Service): ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"]) + def set_subject_in_config(self, suffix): + # dogtag ships with an IPA-specific profile that forces a subject + # format. We need to update that template with our base subject + if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base): + print "Updating subject_base in CA template failed" + self.__restart_instance() + def uninstall(self): try: ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", |