[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was
synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 973fe140d2c3a5fb13738fa3381d3cec1c02688d Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce
---
client/ipa-client-install| 2 +-
install/share/kdc.conf.template | 2 +-
install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
install/share/profiles/Makefile.am | 1 +
ipaplatform/base/paths.py| 3 +-
ipapython/certmonger.py | 32 +---
ipapython/dogtag.py | 4 +
ipaserver/install/certs.py | 10 ++-
ipaserver/install/krbinstance.py | 49
ipaserver/install/server/common.py | 5 +-
ipaserver/install/server/install.py | 26 ---
ipaserver/install/server/replicainstall.py | 4 +-
ipaserver/plugins/cert.py| 65 +---
ipaserver/plugins/dogtag.py | 2 +
14 files changed, 261 insertions(+), 53 deletions(-)
create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 6330f1d..30b78ed 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
subject = str(DN(('CN', hostname), subject_base))
passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
subject=subject, dns=[hostname],
principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_PEM
+ pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCe
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was
synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 0fdf1369c9402e9df76cd74ca32238eb480a1e4c Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce
---
client/ipa-client-install| 2 +-
install/share/kdc.conf.template | 2 +-
install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
install/share/profiles/Makefile.am | 1 +
ipaplatform/base/paths.py| 3 +-
ipapython/certmonger.py | 32 +---
ipapython/dogtag.py | 4 +
ipaserver/install/certs.py | 10 ++-
ipaserver/install/krbinstance.py | 49
ipaserver/install/server/common.py | 5 +-
ipaserver/install/server/install.py | 26 ---
ipaserver/install/server/replicainstall.py | 4 +-
ipaserver/plugins/cert.py| 65 +---
ipaserver/plugins/dogtag.py | 1 +
14 files changed, 260 insertions(+), 53 deletions(-)
create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
subject = str(DN(('CN', hostname), subject_base))
passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
subject=subject, dns=[hostname],
principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_PEM
+ pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCe
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was
synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 255f171fcaa443bac586e38a2f7f30aff676739d Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce
---
client/ipa-client-install| 2 +-
install/share/kdc.conf.template | 2 +-
install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
install/share/profiles/Makefile.am | 1 +
ipaplatform/base/paths.py| 3 +-
ipapython/certmonger.py | 32 +---
ipapython/dogtag.py | 4 +
ipaserver/install/certs.py | 10 ++-
ipaserver/install/krbinstance.py | 49
ipaserver/install/server/common.py | 5 +-
ipaserver/install/server/install.py | 26 ---
ipaserver/install/server/replicainstall.py | 4 +-
ipaserver/plugins/cert.py| 65 +---
ipaserver/plugins/dogtag.py | 1 +
14 files changed, 260 insertions(+), 53 deletions(-)
create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
subject = str(DN(('CN', hostname), subject_base))
passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
subject=subject, dns=[hostname],
principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_PEM
+ pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCe
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was
synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From b8525fc326bfc6ef57bdfc308fe37bfbe175ca7c Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
Signed-off-by: Simo Sorce
---
client/ipa-client-install| 2 +-
install/share/kdc.conf.template | 2 +-
install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
install/share/profiles/Makefile.am | 1 +
ipaplatform/base/paths.py| 3 +-
ipapython/certmonger.py | 32 +---
ipapython/dogtag.py | 4 +
ipaserver/install/certs.py | 10 ++-
ipaserver/install/krbinstance.py | 49
ipaserver/install/server/common.py | 5 +-
ipaserver/install/server/install.py | 26 ---
ipaserver/install/server/replicainstall.py | 4 +-
ipaserver/plugins/cert.py| 65 +---
ipaserver/plugins/dogtag.py | 1 +
14 files changed, 260 insertions(+), 53 deletions(-)
create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
subject = str(DN(('CN', hostname), subject_base))
passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
subject=subject, dns=[hostname],
principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_PEM
+ pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+
[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize)
simo5's pull request #62: "Configure Anonymous PKINIT on server install" was
synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/62
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 32ab40ceae858310c4780504ed1696f30270ade4 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
Signed-off-by: Simo Sorce
---
client/ipa-client-install| 2 +-
install/share/kdc.conf.template | 2 +-
install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
install/share/profiles/Makefile.am | 1 +
ipaplatform/base/paths.py| 3 +-
ipapython/certmonger.py | 32 +---
ipapython/dogtag.py | 4 +
ipaserver/install/certs.py | 10 ++-
ipaserver/install/krbinstance.py | 49
ipaserver/install/server/common.py | 5 +-
ipaserver/install/server/install.py | 26 ---
ipaserver/install/server/replicainstall.py | 4 +-
ipaserver/plugins/cert.py| 64 +---
ipaserver/plugins/dogtag.py | 1 +
14 files changed, 259 insertions(+), 53 deletions(-)
create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 4a263b3..590f598 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1175,7 +1175,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
subject = str(DN(('CN', hostname), subject_base))
passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
try:
-certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+certmonger.request_cert(certpath=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
subject=subject, dns=[hostname],
principal=principal,
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_PEM
+ pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+
