From 345fc79f039d217316c5d2df5ef59952a8130a96 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Wed, 3 Nov 2010 18:17:36 -0400
Subject: pkinit-replica: create certificates for replicas too

altough the kdc certificate name is not tied to the fqdn we create separate
certs for each KDC so that renewal of each of them is done separately.
---
 ipaserver/install/krbinstance.py | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'ipaserver/install/krbinstance.py')

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index f6650d80..7454739e 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -205,7 +205,14 @@ class KrbInstance(service.Service):
 
         self.kpasswd.create_instance()
 
-    def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename):
+    def create_replica(self, ds_user, realm_name, host_name,
+                       domain_name, admin_password,
+                       ldap_passwd_filename, kpasswd_filename,
+                       setup_pkinit=False, pkcs12_info=None,
+                       self_signed_ca=False, subject_base=None):
+        self.pkcs12_info = pkcs12_info
+        self.self_signed_ca = self_signed_ca
+        self.subject_base = subject_base
         self.__copy_ldap_passwd(ldap_passwd_filename)
         self.__copy_kpasswd_keytab(kpasswd_filename)
 
@@ -217,6 +224,8 @@ class KrbInstance(service.Service):
         self.step("creating a keytab for the directory", self.__create_ds_keytab)
         self.step("creating a keytab for the machine", self.__create_host_keytab)
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
+        if setup_pkinit:
+            self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
 
         self.__common_post_setup()
 
@@ -506,16 +515,17 @@ class KrbInstance(service.Service):
             ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
                                  host_name=self.fqdn,
                                  subject_base=self.subject_base)
-        if self.pkcs12_info:
-
-            raise RuntimeError("Using PKCS12 Certs not supported yet\n")
 
+        if self.pkcs12_info:
+            ca_db.install_pem_from_p12(self.pkcs12_info[0],
+                                       self.pkcs12_info[1],
+                                       "/var/kerberos/krb5kdc/kdc.pem")
         else:
             if self.self_signed_ca:
                 ca_db.create_kdc_cert("KDC-Cert", self.fqdn,
                                       "/var/kerberos/krb5kdc")
             else:
-                raise RuntimeError("Using PKCS12 Certs not supported yet\n")
+                raise RuntimeError("PKI not supported yet\n")
 
         # Finally copy the cacert in the krb directory so we don't
         # have any selinux issues with the file context
-- 
cgit