diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-12-07 16:14:28 +1100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-07-19 14:18:04 +0200 |
commit | b12db924143cd6828c596c0b8a261325f3f589f3 (patch) | |
tree | 5b004b8f20fb6e553bfc9ae8df32ae8dc01f8c86 /ipapython | |
parent | b144bf527db76573590255d4ac80e9dfd813ba3d (diff) | |
download | freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.tar.gz freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.tar.xz freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.zip |
Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/certmonger.py | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index db0360fce..1f22fee3d 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -297,9 +297,14 @@ def add_subject(request_id, subject): add_request_value(request_id, 'template-subject', subject) -def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): +def request_cert( + nssdb, nickname, subject, principal, passwd_fname=None, + dns=None): """ Execute certmonger to request a server certificate. + + ``dns`` + A sequence of DNS names to appear in SAN request extension. """ cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname('IPA') @@ -310,6 +315,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, SUBJECT=subject, PRINCIPAL=[principal], CA=ca_path) + if dns is not None and len(dns) > 0: + request_parameters['DNS'] = dns if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) |