diff options
| author | Christina Fu <cfu@redhat.com> | 2015-04-15 10:58:08 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2015-04-21 18:24:32 -0700 |
| commit | e2683d6a8f6211ac58a5674aaa626814f26ebbf2 (patch) | |
| tree | cb6e9fae0990b334ee1acd6333f8ef46594994e8 /base/server/python/pki/server/deployment/pkihelper.py | |
| parent | 79c5627ae28840756d99928fd33701552cc93322 (diff) | |
| download | pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.tar.gz pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.tar.xz pki-e2683d6a8f6211ac58a5674aaa626814f26ebbf2.zip | |
Ticket 1316 Allow adding SAN to server cert during the install process
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
Diffstat (limited to 'base/server/python/pki/server/deployment/pkihelper.py')
| -rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 7f46c1f8b..884215e85 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -463,6 +463,11 @@ class ConfigurationFile: self.mdict['pki_skip_configuration']) self.standalone = config.str2bool(self.mdict['pki_standalone']) self.subordinate = config.str2bool(self.mdict['pki_subordinate']) + # server cert san injection support + self.san_inject = config.str2bool(self.mdict['pki_san_inject']) + if self.san_inject: + self.confirm_data_exists('pki_san_for_server_cert') + self.san_for_server_cert = self.mdict['pki_san_for_server_cert'] # set useful 'string' object variables for this class self.subsystem = self.mdict['pki_subsystem'] @@ -3637,6 +3642,7 @@ class ConfigClient: self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) self.security_domain_type = self.mdict['pki_security_domain_type'] + self.san_inject = config.str2bool(self.mdict['pki_san_inject']) def configure_pki_data(self, data): config.pki_log.info( @@ -4335,6 +4341,9 @@ class ConfigClient: cert.nickname = self.mdict["pki_%s_nickname" % tag] cert.subjectDN = self.mdict["pki_%s_subject_dn" % tag] cert.token = self.mdict["pki_%s_token" % tag] + if tag == 'ssl_server' and self.san_inject: + cert.san_for_server_cert = \ + self.mdict['pki_san_for_server_cert'] return cert def retrieve_existing_server_cert(self, cfg_file): |