Use new pki_ipaca.ini to spawn instances

Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

install/share/Makefile.am

@@ -95,6 +95,7 @@ dist_app_DATA =				\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
 	min-ssf.ldif			\
+	ipaca_default.ini		\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

install/share/ipaca_default.ini

@@ -6,6 +6,7 @@
 
 [DEFAULT]
 ipa_admin_email=root@localhost
+
 # default algorithms for all certificates
 ipa_key_algorithm=SHA256withRSA
 ipa_key_size=2048
@@ -21,31 +22,31 @@ ipa_ca_key_type=%(ipa_key_type)s
 # hard-coded IPA default settings
 ipa_security_domain_name=IPA
 ipa_ds_database=ipaca
-ipa_ds_base_dn=o=%(ipa_ds_database)s
 ipa_admin_user=admin
 ipa_admin_nickname=ipa-ca-agent
 ipa_ca_pem_file=/etc/ipa/ca.crt
 
-# dynamic values
-ipa_ca_subject=
-ipa_subject_base=
-ipa_fqdn=
-ipa_ocsp_uri=
-ipa_admin_cert_p12=
-ipa_master_host=
-ipa_clone_uri=
+## dynamic values
+# ipa_ca_subject=
+# ipa_ds_base_dn=
+# ipa_subject_base=
+# ipa_fqdn=
+# ipa_ocsp_uri=
+# ipa_admin_cert_p12=
 
 # sensitive dynamic values
-pki_admin_password=
-pki_ds_password=
-pki_token_password=
+# pki_admin_password=
+# pki_ds_password=
+# pki_token_password=
 
 # HSM support
-ipa_backup_keys=True
-ipa_hsm_enable=False
-ipa_hsm_libfile=
-ipa_hsm_modulename=
-ipa_token_name=internal
+pki_hsm_enable=False
+pki_hsm_libfile=
+pki_hsm_modulename=
+pki_token_name=internal
+# backup is automatically disabled when HSM support is enabled
+pki_backup_keys=True
+pki_backup_password=%(pki_admin_password)s
 
 # Dogtag defaults
 pki_instance_name=pki-tomcat
@@ -64,10 +65,8 @@ pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
 pki_audit_signing_key_size=%(ipa_key_size)s
 pki_audit_signing_key_type=%(ipa_key_type)s
 pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
-pki_audit_signing_token=%(ipa_token_name)s
+pki_audit_signing_token=%(pki_token_name)s
 
-pki_backup_keys=True
-pki_backup_password=%(pki_admin_password)s
 pki_ca_hostname=%(pki_security_domain_hostname)s
 pki_ca_port=%(pki_security_domain_https_port)s
 
@@ -86,11 +85,9 @@ pki_ds_ldaps_port=636
 pki_ds_remove_data=True
 pki_ds_secure_connection=False
 pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
-pki_ds_secure_connection_ca_pem_file=
+pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
 pki_group=pkiuser
-pki_hsm_enable=False
-pki_hsm_libfile=
-pki_hsm_modulename=
+
 pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
 pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
 pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
@@ -142,15 +139,13 @@ pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
 pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
 pki_subsystem_key_size=%(ipa_key_size)s
 pki_subsystem_key_type=%(ipa_key_type)s
-pki_subsystem_token=%(ipa_token_name)s
+pki_subsystem_token=%(pki_token_name)s
 # nickname and subject are hard-coded
 pki_subsystem_nickname=subsystemCert cert-pki-ca
 pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
 
 pki_theme_enable=True
 pki_theme_server_dir=/usr/share/pki/common-ui
-pki_token_name=%(ipa_token_name)s
-# pki_token_password
 pki_user=pkiuser
 pki_existing=False
 
@@ -173,28 +168,28 @@ pki_ca_signing_record_create=True
 pki_ca_signing_serial_number=1
 pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
 pki_ca_signing_subject_dn=%(ipa_ca_subject)s
-pki_ca_signing_token=%(ipa_token_name)s
+pki_ca_signing_token=%(pki_token_name)s
 
-pki_ca_signing_csr_path=%(pki_instance_configuration_path)s/external_ca.csr
+pki_ca_signing_csr_path=/root/ipa.csr
 
-pki_ocsp_signing_csr_path=
-pki_audit_signing_csr_path=
-pki_sslserver_csr_path=
-pki_subsystem_csr_path=
+# pki_ocsp_signing_csr_path=
+# pki_audit_signing_csr_path=
+# pki_sslserver_csr_path=
+# pki_subsystem_csr_path=
 
-pki_ocsp_signing_cert_path=
-pki_audit_signing_cert_path=
-pki_sslserver_cert_path=
-pki_subsystem_cert_path=
+# pki_ocsp_signing_cert_path=
+# pki_audit_signing_cert_path=
+# pki_sslserver_cert_path=
+# pki_subsystem_cert_path=
 
 pki_ca_starting_crl_number=0
 pki_external=False
+pki_external_step_two=False
 pki_req_ext_add=False
 # MS subca request ext data
 pki_req_ext_oid=1.3.6.1.4.1.311.20.2
 pki_req_ext_critical=False
 pki_req_ext_data=1E0A00530075006200430041
-pki_external_step_two=False
 
 pki_external_pkcs12_path=%(pki_pkcs12_path)s
 pki_external_pkcs12_password=%(pki_pkcs12_password)s
@@ -204,7 +199,7 @@ pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
 pki_ocsp_signing_key_size=%(ipa_key_size)s
 pki_ocsp_signing_key_type=%(ipa_key_type)s
 pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
-pki_ocsp_signing_token=%(ipa_token_name)s
+pki_ocsp_signing_token=%(pki_token_name)s
 # nickname and subject are hard-coded
 pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
 pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
@@ -213,7 +208,7 @@ pki_profiles_in_ldap=True
 pki_random_serial_numbers_enable=False
 pki_subordinate=False
 pki_subordinate_create_new_security_domain=False
-pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
+### pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
 
 pki_admin_email=%(ipa_admin_email)s
 pki_admin_name=%(ipa_admin_user)s
@@ -242,7 +237,7 @@ pki_replica_number_range_end=100
 pki_import_admin_cert=True
 pki_standalone=False
 pki_kra_ephemeral_requests=True
-pki_ds_create_new_db=True
+pki_ds_create_new_db=False
 
 # pki_admin_csr_path=
 # pki_audit_signing_csr_path=
@@ -266,7 +261,7 @@ pki_storage_key_type=%(ipa_key_type)s
 pki_storage_nickname=storageCert cert-pki-kra
 pki_storage_signing_algorithm=SHA256withRSA
 pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
-pki_storage_token=%(ipa_token_name)s
+pki_storage_token=%(pki_token_name)s
 
 pki_transport_key_algorithm=%(ipa_key_algorithm)s
 pki_transport_key_size=%(ipa_key_size)s
@@ -274,7 +269,7 @@ pki_transport_key_type=%(ipa_key_type)s
 pki_transport_nickname=transportCert cert-pki-kra
 pki_transport_signing_algorithm=SHA256withRSA
 pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
-pki_transport_token=%(ipa_token_name)s
+pki_transport_token=%(pki_token_name)s
 
 pki_admin_email=%(ipa_admin_email)s
 pki_admin_name=%(ipa_admin_user)s
@@ -285,5 +280,7 @@ pki_admin_uid=%(ipa_admin_user)s
 pki_audit_signing_nickname=auditSigningCert cert-pki-kra
 pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
 
+# Needed because CA and KRA share the same database
+# We will use the dbuser created for the CA.
 pki_share_db=True
 pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(ipa_ds_database)s