Use Realm as certs subject base name

Also use the realm name as nickname for the CA certificate

5 files changed, 14 insertions, 12 deletions

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e4aae4aa..2beadae8 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -48,7 +48,7 @@ class ReplicaConfig:
         self.host_name = ""
         self.repl_password = ""
         self.dir = ""
-        self.subject_base = "O=IPA"
+        self.subject_base = ""
 
 def parse_options():
     usage = "%prog [options] REPLICA_FILE"
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 6e9d649a..059b011f 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
     try:
         self_signed = certs.ipa_self_signed()
 
-        db = certs.CertDB(dir, subject_base=subject_base)
+        db = certs.CertDB(dir, realm_name, subject_base=subject_base)
         db.create_passwd_file()
 #        if self_signed:
 #            ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
 #            db.create_from_cacert(ca_db.cacert_fname)
 #        else:
 #            ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
-        ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
+        ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
         db.create_from_cacert(ca_db.cacert_fname)
         db.create_server_cert("Server-Cert", hostname, ca_db)
     except Exception, e:
@@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password):
 
     try:
         try:
-            db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
+            db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host)
 
             if db.has_nickname("ipaCert"):
                 pkcs12_fname = "%s/ra.p12" % dir
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index d853f718..9d69853e 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -89,7 +89,7 @@ def choose_server_cert(server_certs):
     return server_certs[num - 1]
 
 def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
-    cdb = certs.CertDB(dirname)
+    cdb = certs.CertDB(dirname, api.env.realm)
     cdb.create_passwd_file(db_password)
     cdb.create_certdbs()
     [pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index c8a17c99..569079d5 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -122,8 +122,8 @@ def parse_options():
                       help="The starting uid value (default random)")
     parser.add_option("--gidstart", dest="gidstart", default=namespace, type=int,
                       help="The starting gid value (default random)")
-    parser.add_option("--subject", dest="subject", default="O=IPA",
-                      help="The certificate subject base (default O=IPA)")
+    parser.add_option("--subject", dest="subject",
+                      help="The certificate subject base (default O=<realm-name>)")
     parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
                       action="store_true",
                       help="Don't install allow_all HBAC rule")
@@ -402,8 +402,8 @@ def uninstall():
     ntpinstance.NTPInstance(fstore).uninstall()
     if cainstance.CADSInstance().is_configured():
         cainstance.CADSInstance().uninstall()
-    if cainstance.CAInstance().is_configured():
-        cainstance.CAInstance().uninstall()
+    if cainstance.CAInstance(api.env.realm).is_configured():
+        cainstance.CAInstance(api.env.realm).uninstall()
     bindinstance.BindInstance(fstore).uninstall()
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
@@ -465,7 +465,6 @@ def main():
     global fstore
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-
     # Configuration for ipalib, we will bootstrap and finalize later, after
     # we are sure we have the configuration file ready.
     cfg = dict(
@@ -610,6 +609,9 @@ def main():
     else:
         realm_name = options.realm_name.upper()
 
+    if not options.subject:
+        options.subject = "O=%s" % realm_name
+
     if not options.dm_password:
         dm_password = read_dm_password()
     else:
@@ -689,7 +691,7 @@ def main():
         if options.external_cert_file is None:
             cs = cainstance.CADSInstance()
             cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password)
-        ca = cainstance.CAInstance()
+        ca = cainstance.CAInstance(realm_name)
         if external == 0:
             ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject)
         elif external == 1:
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 943a4201..0d4d8c52 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -102,7 +102,7 @@ The starting user id number (default random)
 The starting group id number (default random)
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
- The certificate subject base (default O=IPA)
+ The certificate subject base (default O=REALM.NAME)
 .TP
 \fB\-\-no_hbac_allow\fR
 Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.