From e2683d6a8f6211ac58a5674aaa626814f26ebbf2 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 15 Apr 2015 10:58:08 -0700 Subject: Ticket 1316 Allow adding SAN to server cert during the install process Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com --- base/server/python/pki/server/deployment/pkihelper.py | 9 +++++++++ base/server/python/pki/server/deployment/pkiparser.py | 3 +++ 2 files changed, 12 insertions(+) (limited to 'base/server/python/pki/server/deployment') diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 7f46c1f8b..884215e85 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -463,6 +463,11 @@ class ConfigurationFile: self.mdict['pki_skip_configuration']) self.standalone = config.str2bool(self.mdict['pki_standalone']) self.subordinate = config.str2bool(self.mdict['pki_subordinate']) + # server cert san injection support + self.san_inject = config.str2bool(self.mdict['pki_san_inject']) + if self.san_inject: + self.confirm_data_exists('pki_san_for_server_cert') + self.san_for_server_cert = self.mdict['pki_san_for_server_cert'] # set useful 'string' object variables for this class self.subsystem = self.mdict['pki_subsystem'] @@ -3637,6 +3642,7 @@ class ConfigClient: self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) self.security_domain_type = self.mdict['pki_security_domain_type'] + self.san_inject = config.str2bool(self.mdict['pki_san_inject']) def configure_pki_data(self, data): config.pki_log.info( @@ -4335,6 +4341,9 @@ class ConfigClient: cert.nickname = self.mdict["pki_%s_nickname" % tag] cert.subjectDN = self.mdict["pki_%s_subject_dn" % tag] cert.token = self.mdict["pki_%s_token" % tag] + if tag == 'ssl_server' and self.san_inject: + cert.san_for_server_cert = \ + self.mdict['pki_san_for_server_cert'] return cert def retrieve_existing_server_cert(self, cfg_file): diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index e37b0e4a5..e93f1717e 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -588,6 +588,9 @@ class PKIConfigParser: if not 'pki_subordinate' in self.mdict or\ not len(self.mdict['pki_subordinate']): self.mdict['pki_subordinate'] = "false" + if not 'pki_san_inject' in self.mdict or\ + not len(self.mdict['pki_san_inject']): + self.mdict['pki_san_inject'] = "false" # PKI Target (slot substitution) name/value pairs self.mdict['pki_target_cs_cfg'] = \ -- cgit