Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3977>.
Honza -- Jan Cholasta
>From 101547fae92dfa6dea0db34f68cb855f471af54d Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 5 Dec 2013 14:34:14 +0100 Subject: [PATCH] Allow SAN in IPA certificate profile. https://fedorahosted.org/freeipa/ticket/3977 --- install/tools/ipa-upgradeconfig | 7 +++++- ipaserver/install/cainstance.py | 51 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 10526f2..fe39624 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -328,9 +328,14 @@ def upgrade_ipa_profile(ca, domain, fqdn): root_logger.debug('Subject Key Identifier updated.') else: root_logger.debug('Subject Key Identifier already set.') + san = ca.enable_subject_alternative_name() + if san: + root_logger.debug('Subject Alternative Name updated.') + else: + root_logger.debug('Subject Alternative Name already set.') audit = ca.set_audit_renewal() uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or uri: + if audit or ski or san or uri: return True else: root_logger.info('CA is not configured') diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ac5c81d..54012db 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -460,6 +460,7 @@ class CAInstance(service.Service): self.step("setting up signing cert profile", self.__setup_sign_profile) self.step("set certificate subject base", self.__set_subject_in_config) self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) + self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("configuring certificate server to start on boot", self.__enable) @@ -1207,6 +1208,8 @@ class CAInstance(service.Service): new_set_list = '1,2,3,4,5,6,7,8,9' elif setlist == '1,2,3,4,5,6,7,8,10': new_set_list = '1,2,3,4,5,6,7,8,9,10' + elif setlist == '1,2,3,4,5,6,7,8,10,11': + new_set_list = '1,2,3,4,5,6,7,8,9,10,11' if new_set_list: installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, @@ -1526,6 +1529,54 @@ class CAInstance(service.Service): # No update was done return False + def enable_subject_alternative_name(self): + """ + See if Subject Alternative Name is set in the profile and if not, add + it. + """ + setlist = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', separator='=') + + # this is the default setting from pki-ca/pki-tomcat. Don't touch it + # if a user has manually modified it. + if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': + setlist = setlist + ',11' + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', + setlist, + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.constraint.class_id', + 'noConstraintImpl', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.constraint.name', + 'No Constraint', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.default.class_id', + 'userExtensionDefaultImpl', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.default.name', + 'User Supplied Extension Default', + quotes=False, separator='=') + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.11.default.params.userExtOID', + '2.5.29.17', + quotes=False, separator='=') + return True + + # No update was done + return False + def set_audit_renewal(self): """ The default renewal time for the audit signing certificate is -- 1.8.4.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel