diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 11:26:20 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 17:24:01 -0500 |
commit | e4470f8165242fba6c5ce477a2eeca0141891701 (patch) | |
tree | 01b9fa763a36cce597c7bc045badcd02fe29523c /ipaserver/install/httpinstance.py | |
parent | 2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff) | |
download | freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip |
User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r-- | ipaserver/install/httpinstance.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index ee62f81f..3ff5cf8a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -56,7 +56,7 @@ class HTTPInstance(service.Service): else: self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - def create_instance(self, realm, fqdn, domain_name, dm_password=None, autoconfig=True, pkcs12_info=None, self_signed_ca=False): + def create_instance(self, realm, fqdn, domain_name, dm_password=None, autoconfig=True, pkcs12_info=None, self_signed_ca=False, subject_base=None): self.fqdn = fqdn self.realm = realm self.domain = domain_name @@ -66,6 +66,7 @@ class HTTPInstance(service.Service): self.self_signed_ca = self_signed_ca self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm) self.dercert = None + self.subject_base = subject_base self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain } self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) @@ -164,10 +165,10 @@ class HTTPInstance(service.Service): def __setup_ssl(self): if self.self_signed_ca: - ca_db = certs.CertDB(NSS_DIR) + ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) else: - ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn) - db = certs.CertDB(NSS_DIR) + ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base) + db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) if self.pkcs12_info: db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="") server_certs = db.find_server_certs() @@ -221,7 +222,7 @@ class HTTPInstance(service.Service): prefs_fd.close() # The signing cert is generated in __setup_ssl - db = certs.CertDB(NSS_DIR) + db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) pwdfile = open(db.passwd_fname) pwd = pwdfile.read() |