diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-04-05 16:27:46 -0400 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2010-04-23 04:57:40 -0600 |
| commit | 1d635090cbd68b6bec9ce57a2fbfd9ff1b91f908 (patch) | |
| tree | 3816a3809f5274741850c89ea830c24859f05e64 /ipa-client/ipa-install | |
| parent | 7c61663def1b00ceb4daf22be7a8d1c7116b6433 (diff) | |
| download | freeipa-1d635090cbd68b6bec9ce57a2fbfd9ff1b91f908.tar.gz freeipa-1d635090cbd68b6bec9ce57a2fbfd9ff1b91f908.tar.xz freeipa-1d635090cbd68b6bec9ce57a2fbfd9ff1b91f908.zip | |
Use the certificate subject base in IPA when requesting certs in certmonger.
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
Diffstat (limited to 'ipa-client/ipa-install')
| -rw-r--r-- | ipa-client/ipa-install/ipa-client-install | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 9e66e786..7a5e0931 100644 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -301,7 +301,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d return 0 -def configure_certmonger(fstore, options): +def configure_certmonger(fstore, subject_base, cli_realm, options): started = True try: @@ -319,8 +319,10 @@ def configure_certmonger(fstore, options): # Request our host cert if started: + subject = 'CN=%s,%s' % (socket.getfqdn(), subject_base) + principal = 'host/%s@%s' % (socket.getfqdn(), cli_realm) try: - run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"]) + run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", "Server-Cert", "-N", subject, "-K", principal]) except: print "certmonger request for host certificate failed" @@ -370,6 +372,8 @@ def main(): cli_realm = None cli_basedn = None + subject_base = "O=IPA" + if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: print "One of password and principal are required." return 1 @@ -489,6 +493,13 @@ def main(): if not options.force: return 1 print " Use ipa-getkeytab to obtain a host principal for this server." + + start = stderr.find('Certificate subject base is: ') + if start >= 0: + start = start + 29 + subject_base = stderr[start:] + subject_base = subject_base.strip() + finally: if options.principal is not None: (stderr, stdout, returncode) = run(["/usr/kerberos/bin/kdestroy"], raiseonerr=False) @@ -511,7 +522,7 @@ def main(): print "Configured /etc/ldap.conf" if not options.on_master: - configure_certmonger(fstore, options) + configure_certmonger(fstore, subject_base, cli_realm, options) # If on master assume kerberos is already configured properly. if not options.on_master: |