Allow full customisability of IPA CA subject DN

Currently only the "subject base" of the IPA CA subject DN can be customised, via the installer's --subject-base option. The RDN "CN=Certificate Authority" is appended to form the subject DN, and this composition is widely assumed. Some administrators need more control over the CA subject DN, especially to satisfy expectations of external CAs when the IPA CA is to be externally signed. This patch adds full customisability of the CA subject DN. Specifically: - Add the --ca-subject option for specifying the full IPA CA subject DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE". - ipa-ca-install, when installing a CA in a previous CA-less topology, updates DS certmap.conf with the new new CA subject DN. - DsInstance.find_subject_base no longer looks in certmap.conf, because the CA subject DN can be unrelated to the subject base. Fixes: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-16 20:49:36 +10:00
parent 09a65df684
commit 3d01ec14c6
13 changed files with 198 additions and 98 deletions
--- a/ipaserver/install/server/init.py
+++ b/ipaserver/install/server/init.py
@@ -573,7 +573,8 @@ class ServerReplicaInstall(ServerReplicaInstallInterface):
    Server replica installer
    """

-    subject = None
+    subject_base = None
+    ca_subject = None

    admin_password = knob(
        bases=ServerReplicaInstallInterface.admin_password,
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -467,6 +467,10 @@ def install_check(installer):
    if not options.subject_base:
        options.subject_base = installutils.default_subject_base(realm_name)

+    if not options.ca_subject:
+        options.ca_subject = \
+            installutils.default_ca_subject_dn(options.subject_base)
+
    if options.http_cert_files:
        if options.http_pin is None:
            options.http_pin = installutils.read_password(
@@ -726,6 +730,7 @@ def install(installer):
                               dm_password, dirsrv_pkcs12_info,
                               idstart=options.idstart, idmax=options.idmax,
                               subject_base=options.subject_base,
+                               ca_subject=options.ca_subject,
                               hbac_allow=not options.no_hbac_allow)
        else:
            ds = dsinstance.DsInstance(fstore=fstore,
@@ -736,6 +741,7 @@ def install(installer):
                               dm_password,
                               idstart=options.idstart, idmax=options.idmax,
                               subject_base=options.subject_base,
+                               ca_subject=options.ca_subject,
                               hbac_allow=not options.no_hbac_allow)

        ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name)
@@ -747,7 +753,7 @@ def install(installer):
        installer._ds = ds
        ds.init_info(
            realm_name, host_name, domain_name, dm_password,
-            options.subject_base, 1101, 1100, None)
+            options.subject_base, options.ca_subject, 1101, 1100, None)

    if setup_ca:
        if not options.external_cert_files and options.external_ca:
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -78,8 +78,7 @@ def install_http_certs(host_name, realm_name, subject_base):
    principal = 'HTTP/%s@%s' % (host_name, realm_name)
    # Obtain certificate for the HTTP service
    nssdir = certs.NSS_DIR
-    subject = subject_base or installutils.default_subject_base(realm_name)
-    db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject)
+    db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base)
    db.request_service_cert('Server-Cert', principal, host_name, True)


@@ -94,6 +93,11 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
        pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12",
                                       "dirsrv_pin.txt")

+    if ca_is_configured:
+        ca_subject = ca.lookup_ca_subject(remote_api, config.subject_base)
+    else:
+        ca_subject = installutils.default_ca_subject_dn(config.subject_base)
+
    ds = dsinstance.DsInstance(
        config_ldif=options.dirsrv_config_file)
    ds.create_replica(
@@ -103,6 +107,7 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
        domain_name=config.domain_name,
        dm_password=config.dirman_password,
        subject_base=config.subject_base,
+        ca_subject=ca_subject,
        pkcs12_info=pkcs12_info,
        ca_is_configured=ca_is_configured,
        ca_file=ca_file,
@@ -703,6 +708,10 @@ def install_check(installer):
        raise RuntimeError("CA cert file is not available. Please run "
                           "ipa-replica-prepare to create a new replica file.")

+    # look up CA subject name (needed for DS certmap.conf)
+    options.ca_subject = unicode(
+        DN(x509.load_certificate_from_file(cafile).subject))
+
    for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'),
                                  ('httpcert.p12', 'http_pin.txt')):
        pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name)
@@ -737,6 +746,7 @@ def install_check(installer):
                         confdir=paths.ETC_IPA,
                         ldap_uri=ldapuri)
    remote_api.finalize()
+    installer._remote_api = remote_api
    conn = remote_api.Backend.ldap2
    replman = None
    try:
@@ -796,7 +806,6 @@ def install_check(installer):
        if ca_enabled:
            options.realm_name = config.realm_name
            options.host_name = config.host_name
-            options.subject_base = config.subject_base
            ca.install_check(False, config, options)

        if kra_enabled:
@@ -855,7 +864,6 @@ def install_check(installer):
    installer._ca_enabled = ca_enabled
    installer._kra_enabled = kra_enabled
    installer._ca_file = cafile
-    installer._remote_api = remote_api
    installer._fstore = fstore
    installer._sstore = sstore

@@ -1067,6 +1075,7 @@ def promote_check(installer):
                         ldap_uri=ldapuri,
                         xmlrpc_uri=xmlrpc_uri)
    remote_api.finalize()
+    installer._remote_api = remote_api

    check_remote_version(remote_api)

@@ -1203,7 +1212,6 @@ def promote_check(installer):
        if ca_enabled:
            options.realm_name = config.realm_name
            options.host_name = config.host_name
-            options.subject_base = config.subject_base
            ca.install_check(False, config, options)

        if kra_enabled:
@@ -1263,7 +1271,6 @@ def promote_check(installer):
    installer._fstore = fstore
    installer._sstore = sstore
    installer._config = config
-    installer._remote_api = remote_api
    installer._add_to_ipaservers = add_to_ipaservers
    installer._dirsrv_pkcs12_file = dirsrv_pkcs12_file
    installer._dirsrv_pkcs12_info = dirsrv_pkcs12_info