From 1584807e022540af7ca1a89031f18f45194c31ab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 7 Mar 2012 17:46:33 -0500
Subject: Add subject key identifier to the dogtag server cert profile.

This will add it on upgrades too and any new certs issued will have
a subject key identifier set.

If the user has customized the profile themselves then this won't be
applied.

https://fedorahosted.org/freeipa/ticket/2446
---
 install/tools/ipa-upgradeconfig | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'install/tools/ipa-upgradeconfig')

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index a23489f4..40a2b68c 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,8 @@ try:
     from ipaserver.install import httpinstance
     from ipaserver.install import memcacheinstance
     from ipaserver.install import service
+    from ipaserver.install import cainstance
+    from ipaserver.install import certs
     import ldap
     import krbV
     import re
@@ -233,6 +235,15 @@ def cleanup_kdc():
         if fstore.has_file(filename):
             fstore.untrack_file(filename)
 
+def upgrade_ipa_profile(realm):
+    """
+    Update the IPA Profile provided by dogtag
+    """
+    ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+    if ca.is_configured():
+        if ca.enable_subject_key_identifier():
+            ca.restart()
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -284,6 +295,8 @@ def main():
         pass
 
     cleanup_kdc()
+    upgrade_ipa_profile(krbctx.default_realm)
+
 try:
     if __name__ == "__main__":
         sys.exit(main())
-- 
cgit