IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add OCSP and CRL URIs to certificates

Browse Source 
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
This commit is contained in:
Martin Kosek 2012-11-19 10:32:28 -05:00 committed by Rob Crittenden
parent 0d836cd6ee
commit 867f7691e9
7 changed files with 256 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
install/share/bind.zone.db.template
View File

@ -24,3 +24,6 @@ _kerberos-master._udp IN SRV 0 100 88 $HOST
_kpasswd._tcp IN SRV 0 100 464 $HOST
_kpasswd._udp IN SRV 0 100 464 $HOST
$OPTIONAL_NTP
; CNAME for IPA CA replicas (used for CRL, OCSP)
$IPA_CA_CNAME IN CNAME $HOST

23
install/tools/ipa-ca-install
View File

@ -31,17 +31,17 @@ from ipaserver.install import certs
from ipaserver.install.installutils import HostnameLocalhost
from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
from ipaserver.install.installutils import get_host_name, BadHostError
from ipaserver.install import dsinstance, cainstance
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
from ipalib import api, util
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
from ipapython import dogtag
from ipapython.ipa_log_manager import *
log_file_name = "/var/log/ipareplica-ca-install.log"
CACERT = "/etc/ipa/ca.crt"
REPLICA_INFO_TOP_DIR = None
def parse_options():
@ -74,6 +74,22 @@ def parse_options():
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def install_dns_records(config, options):
if not bindinstance.dns_container_exists(config.master_host_name,
ipautil.realm_to_suffix(config.realm_name),
dm_password=config.dirman_password):
return
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
try:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=config.dirman_password)
bind.add_ipa_ca_cname(config.host_name, config.domain_name)
finally:
if api.Backend.ldap2.isconnected():
api.Backend.ldap2.disconnect()
def main():
safe_options, options, filename = parse_options()
@ -176,6 +192,9 @@ def main():
CA.enable_client_auth_to_db()
CA.restart()
# Install CA DNS records
install_dns_records(config, options)
# We need to restart apache as we drop a new config file in there
ipaservices.knownservices.httpd.restart(capture_output=True)

6
install/tools/ipa-replica-install
View File

@ -247,7 +247,8 @@ def install_bind(config, options):
print "Using reverse zone %s" % reverse_zone
bind.setup(config.host_name, config.ip_address, config.realm_name,
config.domain_name, forwarders, options.conf_ntp, reverse_zone)
config.domain_name, forwarders, options.conf_ntp, reverse_zone,
ca_configured=options.setup_ca)
bind.create_instance()
print ""
@ -296,7 +297,8 @@ def install_dns_records(config, options):
bind.add_master_dns_records(config.host_name, config.ip_address,
config.realm_name, config.domain_name,
reverse_zone, options.conf_ntp)
reverse_zone, options.conf_ntp,
options.setup_ca)
def check_dirsrv():
(ds_unsecure, ds_secure) = dsinstance.check_ports()

14
install/tools/ipa-server-install
View File

@ -965,8 +965,8 @@ def main():
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
if external == 0:
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=options.subject)
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, subject_base=options.subject)
elif external == 1:
# stage 1 of external CA installation
options.realm_name = realm_name
@ -979,12 +979,13 @@ def main():
options.forwarders = dns_forwarders
options.reverse_zone = reverse_zone
write_cache(vars(options))
ca.configure_instance(host_name, dm_password, dm_password,
csr_file="/root/ipa.csr",
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file="/root/ipa.csr",
subject_base=options.subject)
else:
# stage 2 of external CA installation
ca.configure_instance(host_name, dm_password, dm_password,
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=options.external_cert_file,
cert_chain_file=options.external_ca_file,
subject_base=options.subject)
@ -1079,7 +1080,8 @@ def main():
options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
zone_refresh=options.zone_refresh,
persistent_search=options.persistent_search,
serial_autoincrement=options.serial_autoincrement)
serial_autoincrement=options.serial_autoincrement,
ca_configured=not options.selfsign)
if options.setup_dns:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)

38
install/tools/ipa-upgradeconfig
View File

@ -30,6 +30,7 @@ try:
from ipapython.ipa_log_manager import *
from ipapython import certmonger
from ipapython import dogtag
from ipapython.dn import DN
from ipaserver.install import installutils
from ipaserver.install import dsinstance
from ipaserver.install import httpinstance
@ -47,6 +48,7 @@ try:
import pwd
import fileinput
from ipalib import api
import ipalib.util
import ipalib.errors
except ImportError:
print >> sys.stderr, """\
@ -307,7 +309,7 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
def upgrade_ipa_profile(ca):
def upgrade_ipa_profile(ca, domain, fqdn):
"""
Update the IPA Profile provided by dogtag
@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca):
else:
root_logger.debug('Subject Key Identifier already set.')
audit = ca.set_audit_renewal()
if audit or ski:
uri = ca.set_crl_ocsp_extensions(domain, fqdn)
if audit or ski or uri:
return True
else:
root_logger.info('CA is not configured')
@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca):
'request pki-ca restart')
return True
def add_server_cname_records():
root_logger.info('[Add missing server CNAME records]')
if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
try:
api.Backend.ldap2.connect(autobind=True)
except ipalib.errors.PublicError, e:
root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
else:
ret = api.Command['dns_is_enabled']()
if not ret['result']:
root_logger.info('DNS is not configured')
sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
return
bind = bindinstance.BindInstance()
# DNS is enabled, so let bindinstance find out if CA is enabled
# and let it add the CNAME in that case
bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
finally:
if api.Backend.ldap2.isconnected():
api.Backend.ldap2.disconnect()
else:
root_logger.info('IPA CA CNAME already processed')
def main():
"""
Get some basics about the system. If getting those basics fail then
@ -602,7 +631,7 @@ def main():
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
api.bootstrap(context='restart')
api.bootstrap(context='restart', in_server=True)
api.finalize()
fqdn = find_hostname()
@ -667,13 +696,14 @@ def main():
cleanup_kdc(fstore)
setup_firefox_extension(fstore)
add_server_cname_records()
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
if changed_psearch or changed_autoincrement:
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
bindinstance.BindInstance(fstore).restart()
ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn)
if ca_restart:
root_logger.info('pki-ca configuration changed, restart pki-ca')

62
ipaserver/install/bindinstance.py
View File

@ -28,6 +28,7 @@ import ldap
import service
from ipaserver import ipaldap
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.cainstance import IPA_CA_CNAME
from ipaserver.install.installutils import resolve_host
from ipapython import sysrestore
from ipapython import ipautil
@ -330,7 +331,7 @@ def del_rr(zone, name, type, rdata):
delkw = { '%srecord' % str(type.lower()) : unicode(rdata) }
try:
api.Command.dnsrecord_del(unicode(zone), unicode(name), **delkw)
except (errors.NotFound, errors.EmptyModlist):
except (errors.NotFound, errors.AttrValueNotFound, errors.EmptyModlist):
pass
def get_rr(zone, name, type):
@ -430,7 +431,8 @@ class BindInstance(service.Service):
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
reverse_zone, named_user="named", zonemgr=None,
zone_refresh=0, persistent_search=True, serial_autoincrement=True):
zone_refresh=0, persistent_search=True, serial_autoincrement=True,
ca_configured=None):
self.named_user = named_user
self.fqdn = fqdn
self.ip_address = ip_address
@ -444,6 +446,7 @@ class BindInstance(service.Service):
self.zone_refresh = zone_refresh
self.persistent_search = persistent_search
self.serial_autoincrement = serial_autoincrement
self.ca_configured = ca_configured
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % self.domain
@ -497,6 +500,7 @@ class BindInstance(service.Service):
if self.reverse_zone is not None:
self.step("setting up reverse zone", self.__setup_reverse_zone)
self.step("setting up our own record", self.__add_self)
self.step("setting up CA CNAME record", self.__add_ipa_ca_cname)
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up named.conf", self.__setup_named_conf)
@ -556,6 +560,7 @@ class BindInstance(service.Service):
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
ZONE_REFRESH=self.zone_refresh,
IPA_CA_CNAME=IPA_CA_CNAME,
PERSISTENT_SEARCH=boolean_var['persistent_search'],
SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
@ -582,6 +587,28 @@ class BindInstance(service.Service):
def __add_self_ns(self):
add_ns_rr(self.domain, api.env.host, self.dns_backup, force=True)
def __add_ipa_ca_cname(self):
if self.ca_configured is False:
root_logger.debug("CA is not configured, skip this step")
return
elif self.ca_configured is None:
# we do not know if CA is configured for this host and we can
# add the CA CNAME record. So we need to find out
root_logger.debug("Check if CA is enabled for this host")
base_dn = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), api.env.basedn)
ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))'
try:
api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn)
except ipalib.errors.NotFound:
# CA is not configured
root_logger.debug("CA is not configured")
return
else:
root_logger.debug("CA is configured for this host, continue")
add_rr(self.domain, IPA_CA_CNAME, "CNAME", self.host_in_rr)
def __add_self(self):
zone = self.domain
resource_records = (
@ -681,7 +708,7 @@ class BindInstance(service.Service):
resolv_fd.close()
def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
reverse_zone, ntp=False):
reverse_zone, ntp=False, ca_configured=None):
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
@ -690,23 +717,36 @@ class BindInstance(service.Service):
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zone = reverse_zone
self.ca_configured = ca_configured
self.__add_self()
self.__add_ipa_ca_cname()
def add_ipa_ca_cname(self, fqdn, domain_name, ca_configured=True):
self.host = fqdn.split(".")[0]
self.fqdn = fqdn
self.domain = domain_name
self.ca_configured = ca_configured
self.__add_ipa_ca_cname()
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host = fqdn.split(".")[0]
self.host = host
self.fqdn = fqdn
self.domain = domain_name
suffix = ipautil.realm_to_suffix(realm_name)
zone = domain_name
resource_records = (
("_ldap._tcp", "SRV", "0 100 389 %s" % host),
("_kerberos._tcp", "SRV", "0 100 88 %s" % host),
("_kerberos._udp", "SRV", "0 100 88 %s" % host),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % host),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % host),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % host),
("_kpasswd._udp", "SRV", "0 100 464 %s" % host),
("_ntp._udp", "SRV", "0 100 123 %s" % host),
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
(IPA_CA_CNAME, "CNAME", self.host_in_rr),
("@", "NS", fqdn+"."),
)

150
ipaserver/install/cainstance.py
View File

@ -66,6 +66,9 @@ DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
PKI_USER = "pkiuser"
PKI_DS_USER = dogtag.install_constants.DS_USER
# When IPA is installed with DNS support, this CNAME should hold all IPA
# replicas with CA configured
IPA_CA_CNAME = "ipa-ca"
# We need to reset the template because the CA uses the regular boot
# information
@ -497,6 +500,7 @@ class CAInstance(service.Service):
self.dm_password = None
self.admin_password = None
self.fqdn = None
self.domain = None
self.pkcs12_info = None
self.clone = False
@ -516,7 +520,7 @@ class CAInstance(service.Service):
self.ra_agent_db = ra_db
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
self.ds_port = DEFAULT_DSPORT
self.domain_name = "IPA"
self.security_domain_name = "IPA"
self.server_root = dogtag_constants.SERVER_ROOT
self.ra_cert = None
self.requestId = None
@ -534,7 +538,7 @@ class CAInstance(service.Service):
return os.path.exists(os.path.join(
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME))
def configure_instance(self, host_name, dm_password,
def configure_instance(self, host_name, domain, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
@ -552,6 +556,7 @@ class CAInstance(service.Service):
csr_file. For step 2 set cert_file and cert_chain_file.
"""
self.fqdn = host_name
self.domain = domain
self.dm_password = dm_password
self.admin_password = admin_password
self.ds_port = ds_port
@ -596,6 +601,7 @@ class CAInstance(service.Service):
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("set certificate subject base", self.__set_subject_in_config)
self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
self.step("configuring certificate server to start on boot", self.__enable)
if not self.clone:
@ -633,7 +639,7 @@ class CAInstance(service.Service):
"pki_client_database_password": self.admin_password,
"pki_client_database_purge": "False",
"pki_client_pkcs12_password": self.admin_password,
"pki_security_domain_name": self.domain_name,
"pki_security_domain_name": self.security_domain_name,
"pki_admin_name": "admin",
"pki_admin_uid": "admin",
"pki_admin_email": "root@localhost",
@ -800,7 +806,7 @@ class CAInstance(service.Service):
"-client_certdb_dir", self.ca_agent_db,
"-client_certdb_pwd", self.admin_password,
"-preop_pin" , preop_pin,
"-domain_name", self.domain_name,
"-domain_name", self.security_domain_name,
"-admin_user", "admin",
"-admin_email", "root@localhost",
"-admin_password", self.admin_password,
@ -1239,6 +1245,124 @@ class CAInstance(service.Service):
return publishdir
def __set_crl_ocsp_extensions(self):
self.set_crl_ocsp_extensions(self.domain, self.fqdn)
def set_crl_ocsp_extensions(self, domain, fqdn):
"""
Configure CRL and OCSP extensions in default IPA certificate profile
if not done already.
"""
changed = False
# OCSP extension
ocsp_location_0 = installutils.get_directive(
self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
separator='=')
if not ocsp_location_0:
# Set the first OCSP URI
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)),
quotes=False, separator='=')
changed = True
ocsp_profile_count = installutils.get_directive(
self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
separator='=')
if ocsp_profile_count == '1':
# add the second OCSP URI
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1',
'true', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1',
'URIName', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1',
'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn),
quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1',
'1.3.6.1.5.5.7.48.1', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
'2', quotes=False, separator='=')
changed = True
# CRL extension
crl_issuer_0 = installutils.get_directive(
self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
separator='=')
if not crl_issuer_0:
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0',
'DirectoryName', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)),
quotes=False, separator='=')
changed = True
crl_profile_count = installutils.get_directive(
self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsNum',
separator='=')
if crl_profile_count == '1':
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1',
'true', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1',
'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1',
'DirectoryName', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn),
quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1',
'URIName', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1',
'', quotes=False, separator='=')
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsNum',
'2', quotes=False, separator='=')
changed = True
# CRL extension is not enabled by default
setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list', separator='=')
new_set_list = None
if setlist == '1,2,3,4,5,6,7,8':
new_set_list = '1,2,3,4,5,6,7,8,9'
elif setlist == '1,2,3,4,5,6,7,8,10':
new_set_list = '1,2,3,4,5,6,7,8,9,10'
if new_set_list:
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list',
new_set_list, quotes=False, separator='=')
changed = True
return changed
def __enable_crl_publish(self):
"""
Enable file-based CRL publishing and disable LDAP publishing.
@ -1279,12 +1403,6 @@ class CAInstance(service.Service):
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
# Fix the CRL URI in the profile
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
quotes=False, separator='=')
# If we are the initial master then we are the CRL generator, otherwise
# we point to that master for CRLs.
if not self.clone:
@ -1484,11 +1602,12 @@ class CAInstance(service.Service):
# this is the default setting from pki-ca/pki-tomcat. Don't touch it
# if a user has manually modified it.
if setlist == '1,2,3,4,5,6,7,8':
if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9':
setlist = setlist + ',10'
installutils.set_directive(
self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list',
'1,2,3,4,5,6,7,8,10',
setlist,
quotes=False, separator='=')
installutils.set_directive(
self.dogtag_constants.IPA_SERVICE_PROFILE,
@ -1676,8 +1795,9 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
# If installing this afterward the Apache NSS database already
# exists, don't remove it.
ca.create_ra_agent_db = False
ca.configure_instance(config.host_name, config.dirman_password,
config.dirman_password, pkcs12_info=(cafile,),
ca.configure_instance(config.host_name, config.domain_name,
config.dirman_password, config.dirman_password,
pkcs12_info=(cafile,),
master_host=config.master_host_name,
master_replication_port=master_ds_port,
subject_base=config.subject_base)
@ -1740,4 +1860,4 @@ if __name__ == "__main__":
ds = dsinstance.DsInstance()
ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
ca.configure_instance("catest.example.com", "password", "password")
ca.configure_instance("catest.example.com", "example.com", "password", "password")