From b12db924143cd6828c596c0b8a261325f3f589f3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 7 Dec 2015 16:14:28 +1100 Subject: Create server and host certs with DNS altname Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek --- ipapython/certmonger.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'ipapython') diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index db0360fce..1f22fee3d 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -297,9 +297,14 @@ def add_subject(request_id, subject): add_request_value(request_id, 'template-subject', subject) -def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): +def request_cert( + nssdb, nickname, subject, principal, passwd_fname=None, + dns=None): """ Execute certmonger to request a server certificate. + + ``dns`` + A sequence of DNS names to appear in SAN request extension. """ cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname('IPA') @@ -310,6 +315,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, SUBJECT=subject, PRINCIPAL=[principal], CA=ca_path) + if dns is not None and len(dns) > 0: + request_parameters['DNS'] = dns if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) -- cgit