User-defined certificate subjects

Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
author: Rob Crittenden <rcritten@redhat.com> 2010-01-20 11:26:20 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2010-01-20 17:24:01 -0500
commit: e4470f8165242fba6c5ce477a2eeca0141891701 (patch)
tree: 01b9fa763a36cce597c7bc045badcd02fe29523c /ipaserver/install/httpinstance.py
parent: 2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff)
download: freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz
freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz
freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip
1 files changed, 6 insertions, 5 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ee62f81f..3ff5cf8a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -56,7 +56,7 @@ class HTTPInstance(service.Service):
         else:
             self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-    def create_instance(self, realm, fqdn, domain_name, dm_password=None, autoconfig=True, pkcs12_info=None, self_signed_ca=False):
+    def create_instance(self, realm, fqdn, domain_name, dm_password=None, autoconfig=True, pkcs12_info=None, self_signed_ca=False, subject_base=None):
         self.fqdn = fqdn
         self.realm = realm
         self.domain = domain_name
@@ -66,6 +66,7 @@ class HTTPInstance(service.Service):
         self.self_signed_ca = self_signed_ca
         self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
         self.dercert = None
+        self.subject_base = subject_base
         self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
 
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
@@ -164,10 +165,10 @@ class HTTPInstance(service.Service):
 
     def __setup_ssl(self):
         if self.self_signed_ca:
-            ca_db = certs.CertDB(NSS_DIR)
+            ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
         else:
-            ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn)
-        db = certs.CertDB(NSS_DIR)
+            ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
+        db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
         if self.pkcs12_info:
             db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
             server_certs = db.find_server_certs()
@@ -221,7 +222,7 @@ class HTTPInstance(service.Service):
         prefs_fd.close()
 
         # The signing cert is generated in __setup_ssl
-        db = certs.CertDB(NSS_DIR)
+        db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
 
         pwdfile = open(db.passwd_fname)
         pwd = pwdfile.read()
author	Rob Crittenden <rcritten@redhat.com>	2010-01-20 11:26:20 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2010-01-20 17:24:01 -0500
commit	e4470f8165242fba6c5ce477a2eeca0141891701 (patch)
tree	01b9fa763a36cce597c7bc045badcd02fe29523c /ipaserver/install/httpinstance.py
parent	2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff)
download	freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip