IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Do not create Object Signing certificate

Browse Source 
The Object Signing certificate created during server installation
was used only for signing the (recently removed) Firefox extension,
so there's no need to create that certificate any more.

Fixes: https://fedorahosted.org/freeipa/ticket/6399
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Fraser Tweedale 2016-10-14 13:20:16 +10:00 committed by Martin Basti
parent 5d15626b4d
commit eb6bfd82f3
4 changed files with 3 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
install/ui/test/data/cert_find.json
View File

@ -57,12 +57,6 @@
"serial_number_hex": "0x9", "serial_number_hex": "0x9",
"status": "VALID", "status": "VALID",
"subject": "CN=dev.example.com,O=EXAMPLE.COM" "subject": "CN=dev.example.com,O=EXAMPLE.COM"
},
{
"serial_number": 10,
"serial_number_hex": "0xA",
"status": "VALID",
"subject": "CN=Object Signing Cert,O=EXAMPLE.COM"
} }
], ],
"summary": "10 certificates matched", "summary": "10 certificates matched",

6
ipaserver/install/ca.py
View File

@ -94,8 +94,7 @@ def install_check(standalone, replica_config, options):
for db in (cadb, dsdb): for db in (cadb, dsdb):
for nickname, _trust_flags in db.list_certs(): for nickname, _trust_flags in db.list_certs():
if nickname in (certdb.get_ca_nickname(realm_name), if nickname in (certdb.get_ca_nickname(realm_name),
'ipaCert', 'ipaCert'):
'Signing-Cert'):
raise ScriptError( raise ScriptError(
"Certificate with nickname %s is present in %s, " "Certificate with nickname %s is present in %s, "
"cannot continue." % (nickname, db.secdir)) "cannot continue." % (nickname, db.secdir))
@ -105,8 +104,7 @@ def install_check(standalone, replica_config, options):
continue continue
subject = DN(str(x509.get_subject(cert))) subject = DN(str(x509.get_subject(cert)))
if subject in (DN('CN=Certificate Authority', subject_base), if subject in (DN('CN=Certificate Authority', subject_base),
DN('CN=IPA RA', subject_base), DN('CN=IPA RA', subject_base)):
DN('CN=Object Signing Cert', subject_base)):
raise ScriptError( raise ScriptError(
"Certificate with subject %s is present in %s, " "Certificate with subject %s is present in %s, "
"cannot continue." % (subject, db.secdir)) "cannot continue." % (subject, db.secdir))

1
ipaserver/install/httpinstance.py
View File

@ -346,7 +346,6 @@ class HTTPInstance(service.Service):
ca_db) ca_db)
db.track_server_cert(self.cert_nickname, self.principal, db.track_server_cert(self.cert_nickname, self.principal,
db.passwd_fname, 'restart_httpd') db.passwd_fname, 'restart_httpd')
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
self.add_cert_to_service() self.add_cert_to_service()
# Fix the database permissions # Fix the database permissions

1
ipaserver/install/server/replicainstall.py
View File

@ -96,7 +96,6 @@ def install_http_certs(config, fstore, remote_api):
subject = DN(('O', config.realm_name)) subject = DN(('O', config.realm_name))
db = certs.CertDB(config.realm_name, nssdir=nssdir, subject_base=subject) db = certs.CertDB(config.realm_name, nssdir=nssdir, subject_base=subject)
db.request_service_cert('Server-Cert', principal, config.host_name, True) db.request_service_cert('Server-Cert', principal, config.host_name, True)
# FIXME: need Signing-Cert too ?
def install_replica_ds(config, options, ca_is_configured, remote_api, def install_replica_ds(config, options, ca_is_configured, remote_api,