diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-11-19 10:32:28 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-12-07 11:00:17 -0500 |
| commit | 867f7691e9e8d4dc101d227ca56a94f9b947897f (patch) | |
| tree | dcd1529b6a530091bdb1f446b34bf71bae3836a9 /install/share | |
| parent | 0d836cd6ee9d7b29808cbf36582eed71a5b6a32a (diff) | |
| download | freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.gz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.xz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.zip | |
Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
Diffstat (limited to 'install/share')
| -rw-r--r-- | install/share/bind.zone.db.template | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index 157d05e55..5ee71d688 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -24,3 +24,6 @@ _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST $OPTIONAL_NTP + +; CNAME for IPA CA replicas (used for CRL, OCSP) +$IPA_CA_CNAME IN CNAME $HOST |