From e4470f8165242fba6c5ce477a2eeca0141891701 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 20 Jan 2010 11:26:20 -0500
Subject: User-defined certificate subjects

Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
---
 ipaserver/install/service.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'ipaserver/install/service.py')

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 5e2eb63d..5aee093e 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -160,9 +160,15 @@ class Service:
         Add a certificate to a service
 
         This should be passed in DER format but we'll be nice and convert
-        a base64-encoded cert if needed.
+        a base64-encoded cert if needed (like when we add certs that come
+        from PKCS#12 files.)
         """
         try:
+            s = self.dercert.find('-----BEGIN CERTIFICATE-----')
+            if s > -1:
+                e = self.dercert.find('-----END CERTIFICATE-----')
+                s = s + 27
+                self.dercert = self.dercert[s:e]
             self.dercert = base64.b64decode(self.dercert)
         except Exception:
             pass
-- 
cgit