Change RA agent certificate profile to caSubsystemCert

Currently, RA agent certificate is issued using caServerCert profile. This has unfortunate side effect of asserting id-pk-serverAuth EKU which is not really needed for RA agent. If IPA CA certificate adds SAN DNS constraints into issued certificates, presence of id-pk-serverAuth EKU forces NSS (and other crypto libraries) to validate CN value with regards to SAN DNS constraints, due to historical use of CN bearing DNS name. Since RA agent certificate has 'CN=IPA RA', it is guaranteed to fail the check. Default IPA CA configuration does *not* add SAN DNS constraints into RA agent certificate. However, it is better to be prepared to such behavior. Related: https://bugzilla.redhat.com/1670239 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-08-05 17:22:44 +03:00 · 2019-08-05 17:22:44 +03:00 · 802a54bfc8
commit 802a54bfc8
parent 73c32dbfeb
1 changed files with 1 additions and 1 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -306,7 +306,7 @@ IPA_CA_RECORD = "ipa-ca"
 IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
 RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
 RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse'
-RA_AGENT_PROFILE = 'caServerCert'
+RA_AGENT_PROFILE = 'caSubsystemCert'
 # How long dbus clients should wait for CA certificate RPCs [seconds]
 CA_DBUS_TIMEOUT = 120