Update comments to explain caSubsystemCert switch

Related: https://bugzilla.redhat.com/1670239 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-01-11 00:31:56 -06:00 · 2019-08-08 07:08:58 +02:00 · 2019-08-08 07:08:58 +02:00 · 3c82585e52
commit 3c82585e52
parent 802a54bfc8
2 changed files with 4 additions and 1 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -306,6 +306,9 @@ IPA_CA_RECORD = "ipa-ca"
 IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
 RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
 RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse'
+# The RA agent cert is used for client cert authentication. In the past IPA
+# used caServerCert profile, which adds clientAuth and serverAuth EKU. The
+# serverAuth EKU caused trouble with NamedConstraints, see RHBZ#1670239.
 RA_AGENT_PROFILE = 'caSubsystemCert'
 # How long dbus clients should wait for CA certificate RPCs [seconds]
 CA_DBUS_TIMEOUT = 120
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -857,7 +857,7 @@ class CAInstance(DogtagInstance):
            ipalib.constants.RENEWAL_CA_NAME, helper)

        try:
-            # The certificate must be requested using caServerCert profile
+            # The certificate must be requested using caSubsystemCert profile
            # because this profile does not require agent authentication
            reqId = certmonger.request_and_wait_for_cert(
                certpath=(paths.RA_AGENT_PEM, paths.RA_AGENT_KEY),