diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-12-08 16:35:12 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-12-10 12:28:38 -0500 |
commit | bfaea1dd78bbf6de0248ef8e33784d57ead9d24a (patch) | |
tree | d4a027d5056ea909017536de111d47394e9271b3 /install/tools | |
parent | 2efc08a6fc8c0407ff2169e3ef7eed92eaaa6545 (diff) | |
download | freeipa-bfaea1dd78bbf6de0248ef8e33784d57ead9d24a.tar.gz freeipa-bfaea1dd78bbf6de0248ef8e33784d57ead9d24a.tar.xz freeipa-bfaea1dd78bbf6de0248ef8e33784d57ead9d24a.zip |
Move Selfsigned CA creation out of dsinstance
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
Diffstat (limited to 'install/tools')
-rwxr-xr-x | install/tools/ipa-replica-install | 2 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 13 | ||||
-rwxr-xr-x | install/tools/ipa-server-certinstall | 2 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 13 |
4 files changed, 15 insertions, 15 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c539e751..3d6f4743 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -158,7 +158,7 @@ def install_ca(config): cs = cainstance.CADSInstance() cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) - ca = cainstance.CAInstance(config.realm_name) + ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base) return ca diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index d70741f1..b9e3425e 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -27,7 +27,7 @@ import krbV from optparse import OptionParser from ipapython import ipautil -from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance +from ipaserver.install import bindinstance, dsinstance, installutils, certs from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr from ipaserver.plugins.ldap2 import ldap2 from ipapython import version @@ -123,14 +123,9 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() - db = certs.CertDB(dir, realm_name, subject_base=subject_base) + db = certs.CertDB(realm_name, nssdir=dir, subject_base=subject_base) db.create_passwd_file() -# if self_signed: -# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) -# db.create_from_cacert(ca_db.cacert_fname) -# else: -# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) - ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) + ca_db = certs.CertDB(realm_name, host_name=api.env.host, subject_base=subject_base) if is_kdc: ca_db.create_kdc_cert("KDC-Cert", hostname, dir) else: @@ -177,7 +172,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: - db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) + db = certs.CertDB(api.env.realm, host_name=api.env.host) if db.has_nickname("ipaCert"): pkcs12_fname = "%s/ra.p12" % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 4b460535..5c6b25bc 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -89,7 +89,7 @@ def choose_server_cert(server_certs): return server_certs[num - 1] def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): - cdb = certs.CertDB(dirname, api.env.realm) + cdb = certs.CertDB(api.env.realm, nssdir=dirname) cdb.create_passwd_file(db_password) cdb.create_certdbs() [pw_fd, pw_name] = tempfile.mkstemp() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 67c1a004..7fa6c71d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -420,8 +420,8 @@ def uninstall(): ntpinstance.NTPInstance(fstore).uninstall() if cainstance.CADSInstance().is_configured(): cainstance.CADSInstance().uninstall() - if cainstance.CAInstance(api.env.realm).is_configured(): - cainstance.CAInstance(api.env.realm).uninstall() + if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured(): + cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall() bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -693,7 +693,12 @@ def main(): ntp = ntpinstance.NTPInstance(fstore) ntp.create_instance() - if not options.selfsign: + if options.selfsign: + ca = certs.CertDB(realm_name, host_name=host_name, + subject_base=options.subject) + ca.create_self_signed() + ca.publish_ca_cert("/etc/ipa/ca.crt") + else: # Clean up any previous self-signed CA that may exist try: os.remove(certs.CA_SERIALNO) @@ -720,7 +725,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password) - ca = cainstance.CAInstance(realm_name) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if external == 0: ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject) elif external == 1: |