diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 11:26:20 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 17:24:01 -0500 |
commit | e4470f8165242fba6c5ce477a2eeca0141891701 (patch) | |
tree | 01b9fa763a36cce597c7bc045badcd02fe29523c /ipaserver/install/cainstance.py | |
parent | 2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff) | |
download | freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip |
User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 97ba833b..47183bb2 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -46,7 +46,6 @@ from ipapython import nsslib from ipaserver.install import service from ipaserver.install import installutils -from ipaserver import ipaldap from ipaserver.install import dsinstance from ipalib import util @@ -414,7 +413,8 @@ class CAInstance(service.Service): def configure_instance(self, pki_user, host_name, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, - cert_file=None, cert_chain_file=None): + cert_file=None, cert_chain_file=None, + subject_base="O=IPA"): """Create a CA instance. This may involve creating the pki-ca instance dogtag instance. @@ -434,6 +434,7 @@ class CAInstance(service.Service): if self.pkcs12_info is not None: self.clone = True self.master_host = master_host + self.subject_base = subject_base # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -540,7 +541,7 @@ class CAInstance(service.Service): "-agent_name", "ipa-ca-agent", "-agent_key_size", "2048", "-agent_key_type", "rsa", - "-agent_cert_subject", "\"CN=ipa-ca-agent,O=" + self.domain_name + "\"", + "-agent_cert_subject", "\"CN=ipa-ca-agent,%s\"" % self.subject_base, "-ldap_host", self.host_name, "-ldap_port", str(self.ds_port), "-bind_dn", "\"cn=Directory Manager\"", @@ -553,11 +554,11 @@ class CAInstance(service.Service): "-backup_pwd", self.admin_password, "-subsystem_name", self.service_name, "-token_name", "internal", - "-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem Certificate,O=" + self.domain_name + "\"", - "-ca_ocsp_cert_subject_name", "\"CN=OCSP Signing Certificate,O=" + self.domain_name + "\"", - "-ca_server_cert_subject_name", "CN=" + self.host_name + ",O=" + self.domain_name, - "-ca_audit_signing_cert_subject_name", "\"CN=CA Audit Signing Certificate,O=" + self.domain_name + "\"", - "-ca_sign_cert_subject_name", "\"CN=Certificate Authority,O=" + self.domain_name + "\"" ] + "-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem,%s\"" % self.subject_base, + "-ca_ocsp_cert_subject_name", "\"CN=OCSP Subsystem,%s\"" % self.subject_base, + "-ca_server_cert_subject_name", "\"CN=%s,%s\"" % (self.host_name, self.subject_base), + "-ca_audit_signing_cert_subject_name", "\"CN=CA Audit,%s\"" % self.subject_base, + "-ca_sign_cert_subject_name", "\"CN=Certificate Authority,%s\"" % self.subject_base ] if self.external == 1: args.append("-external") args.append("true") @@ -770,7 +771,7 @@ class CAInstance(service.Service): ('usertype', "agentType"), ('userstate', "1"), ('userCertificate', decoded), - ('description', '2;%s;CN=Certificate Authority,O=%s;CN=RA Subsystem Certificate,OU=pki-ipa,O=%s' % (str(self.requestId), self.domain_name, self.domain_name)),] + ('description', '2;%s;CN=Certificate Authority,%s;CN=RA Subsystem,%s' % (str(self.requestId), self.subject_base, self.subject_base)),] ld.add_s(entry_dn, entry) @@ -886,7 +887,7 @@ class CAInstance(service.Service): # Generate our CSR. The result gets put into stdout try: - (stdout, stderr, returncode) = self.__run_certutil(["-R", "-k", "rsa", "-g", "2048", "-s", "CN=RA Subsystem Certificate,OU=pki-ipa,O=%s" % self.domain_name, "-z", noise_name, "-a"]) + (stdout, stderr, returncode) = self.__run_certutil(["-R", "-k", "rsa", "-g", "2048", "-s", "CN=RA Subsystem,%s" % self.subject_base, "-z", noise_name, "-a"]) finally: os.remove(noise_name) @@ -1000,6 +1001,13 @@ class CAInstance(service.Service): ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"]) + def set_subject_in_config(self, suffix): + # dogtag ships with an IPA-specific profile that forces a subject + # format. We need to update that template with our base subject + if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base): + print "Updating subject_base in CA template failed" + self.__restart_instance() + def uninstall(self): try: ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", |