freeipa/install/share/profiles
Fraser Tweedale 7995518921 Restore old version of caIPAserviceCert for upgrade only
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.

We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.

https://pagure.io/freeipa/issue/7097

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-14 19:25:59 +02:00
..
caIPAserviceCert.cfg Add CommonNameToSANDefault to default cert profile 2017-06-27 14:25:58 +00:00
caIPAserviceCert.UPGRADE.cfg Restore old version of caIPAserviceCert for upgrade only 2017-08-14 19:25:59 +02:00
IECUserRoles.cfg Add profile for DNP3 / IEC 62351-8 certificates 2015-08-11 14:57:41 +02:00
KDCs_PKINIT_Certs.cfg Configure Anonymous PKINIT on server install 2016-12-12 13:39:44 +01:00
Makefile.am Restore old version of caIPAserviceCert for upgrade only 2017-08-14 19:25:59 +02:00
README Add a README to certificate profile templates directory 2017-06-15 13:55:09 +02:00

This directory contains profile TEMPLATES for certificate profiles
included in FreeIPA.  Do not import these files or modifications
thereof - it is likely that Dogtag will accept the configuration,
but certificate issuance will fail with the updated configuration.
At best, it will not give you the certificates you want.

If you want to modify a profile configuration or create a new
profile based on an existing profile configuration, you should
export the current profile configuration with the command:

    ipa certprofile-show --out FILENAME PROFILE_NAME

After modifying the configuration, update the profile configuration:

    ipa certprofile-mod --file FILENAME PROFILE_NAME

Or if you are creating a new profile:

    ipa certprofile-import --desc DESC --store 1 \
        --file FILENAME NEW_PROFILE_NAME