diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-03-07 17:46:33 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-03-15 09:55:03 +0100 |
| commit | 1584807e022540af7ca1a89031f18f45194c31ab (patch) | |
| tree | 9243cd7fe8a14111b14da41b97573f086979dd87 /install | |
| parent | d082b64b7b17ceee5fe3e2d7d9140b100ee4ea59 (diff) | |
| download | freeipa-1584807e022540af7ca1a89031f18f45194c31ab.tar.gz freeipa-1584807e022540af7ca1a89031f18f45194c31ab.tar.xz freeipa-1584807e022540af7ca1a89031f18f45194c31ab.zip | |
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
Diffstat (limited to 'install')
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index a23489f40..40a2b68ce 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -31,6 +31,8 @@ try: from ipaserver.install import httpinstance from ipaserver.install import memcacheinstance from ipaserver.install import service + from ipaserver.install import cainstance + from ipaserver.install import certs import ldap import krbV import re @@ -233,6 +235,15 @@ def cleanup_kdc(): if fstore.has_file(filename): fstore.untrack_file(filename) +def upgrade_ipa_profile(realm): + """ + Update the IPA Profile provided by dogtag + """ + ca = cainstance.CAInstance(realm, certs.NSS_DIR) + if ca.is_configured(): + if ca.enable_subject_key_identifier(): + ca.restart() + def main(): """ Get some basics about the system. If getting those basics fail then @@ -284,6 +295,8 @@ def main(): pass cleanup_kdc() + upgrade_ipa_profile(krbctx.default_realm) + try: if __name__ == "__main__": sys.exit(main()) |