The CA audit certificate is initially valid for two years but its profile has it renewing at six months. This bumps the value up to two years to match the other certificates.

This relies on Petr's and Ade's dogtag 10 patches.

rob
>From 7d5f799c1abb302d8b90cb50d5e1191fbf4c5edb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 12 Sep 2012 16:22:44 -0400
Subject: [PATCH] Set renewal time for the CA audit certificate to 720 days.

The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.

https://fedorahosted.org/freeipa/ticket/2951
---
 install/tools/ipa-upgradeconfig | 15 ++++++++++-----
 ipaserver/install/cainstance.py | 26 ++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6c0437180c2b47f4d88154741c96648975b30d34..c1fccf9ca1f9994aa987c3c0138f79a528e9e6ed 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -210,14 +210,15 @@ def upgrade_pki(fstore):
 
     This requires enabling SSL renegotiation.
     """
+    configured_constants = dogtag.configured_constants()
     root_logger.info('[Verifying that CA proxy configuration is correct]')
-    if not os.path.exists('/etc/pki-ca/CS.cfg'):
+    if not os.path.exists(configured_constants.CS_CFG_PATH):
         root_logger.debug('No CA detected in /etc/pki-ca')
         return
 
     http = httpinstance.HTTPInstance(fstore)
     http.enable_mod_nss_renegotiate()
-    if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+    if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists('/usr/bin/pki-setup-proxy'):
         ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
@@ -288,11 +289,15 @@ def upgrade_ipa_profile(realm):
     root_logger.info('[Verifying that CA service certificate profile is updated]')
     ca = cainstance.CAInstance(realm, certs.NSS_DIR)
     if ca.is_configured():
-        if ca.enable_subject_key_identifier():
-            root_logger.debug('Subject Key Identifier updated, restarting CA')
-            ca.restart()
+        ski = ca.enable_subject_key_identifier()
+        if ski:
+            root_logger.debug('Subject Key Identifier updated.')
         else:
             root_logger.debug('Subject Key Identifier already set.')
+        audit = ca.set_audit_renewal()
+        if audit or ski:
+            root_logger.debug('Restarting CA.')
+            ca.restart()
     else:
         root_logger.debug('CA is not configured')
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ccadd1cf8e0967eab20ae382b10f58d104764610..d8900b13ee9412cd77ca8a95d7fdbd7e2261623e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -551,6 +551,7 @@ class CAInstance(service.Service):
             self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("set certificate subject base", self.__set_subject_in_config)
             self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
+            self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
             self.step("configuring certificate server to start on boot", self.__enable)
             if not self.clone:
                 self.step("restarting certificate server", self.__restart_instance)
@@ -1386,6 +1387,31 @@ class CAInstance(service.Service):
         # No update was done
         return False
 
+    def set_audit_renewal(self):
+        """
+        The default renewal time for the audit signing certificate is
+        six months rather than two years. Fix it. This is BZ 843979.
+        """
+        # Check the default validity period of the audit signing cert
+        # and set it to 2 years if it is 6 months.
+        range = installutils.get_directive(
+            '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+            'policyset.caLogSigningSet.2.default.params.range',
+            separator='='
+        )
+        root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range)
+        if range == "180":
+            installutils.set_directive(
+                '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+                'policyset.caLogSigningSet.2.default.params.range',
+                '720',
+                quotes=False,
+                separator='='
+            )
+            root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720')
+            return True
+        return False
+
     def is_master(self):
         """
         There are some tasks that are only done on a single dogtag master.
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to