freeipa/install/share/profiles
Christian Heimes 24a5d4d06b Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.

* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs

Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-29 13:36:41 -05:00
..
acmeIPAServerCert.cfg Centralize enable/disable of the ACME service 2020-11-02 10:43:57 -05:00
caIPAserviceCert.cfg Add CommonNameToSANDefault to default cert profile 2017-06-27 14:25:58 +00:00
caIPAserviceCert.UPGRADE.cfg Restore old version of caIPAserviceCert for upgrade only 2017-08-14 19:25:59 +02:00
IECUserRoles.cfg Add profile for DNP3 / IEC 62351-8 certificates 2015-08-11 14:57:41 +02:00
KDCs_PKINIT_Certs.cfg Ensure that KDC cert has SAN DNS entry 2021-01-29 13:36:41 -05:00
Makefile.am Centralize enable/disable of the ACME service 2020-11-02 10:43:57 -05:00
README Add a README to certificate profile templates directory 2017-06-15 13:55:09 +02:00

This directory contains profile TEMPLATES for certificate profiles
included in FreeIPA.  Do not import these files or modifications
thereof - it is likely that Dogtag will accept the configuration,
but certificate issuance will fail with the updated configuration.
At best, it will not give you the certificates you want.

If you want to modify a profile configuration or create a new
profile based on an existing profile configuration, you should
export the current profile configuration with the command:

    ipa certprofile-show --out FILENAME PROFILE_NAME

After modifying the configuration, update the profile configuration:

    ipa certprofile-mod --file FILENAME PROFILE_NAME

Or if you are creating a new profile:

    ipa certprofile-import --desc DESC --store 1 \
        --file FILENAME NEW_PROFILE_NAME