|
 |
3f51ca |
From 148e78d74206730c31dd7bc87eece5c5bd1440ac Mon Sep 17 00:00:00 2001
|
|
|
3f51ca |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
3f51ca |
Date: Wed, 9 Aug 2017 17:28:35 -0400
|
|
|
3f51ca |
Subject: [PATCH] Include the CA basic constraint in CSRs when renewing a CA
|
|
|
3f51ca |
|
|
|
3f51ca |
The CSR generated by `ipa-cacert-manage renew --external-ca` did
|
|
|
3f51ca |
not include the CA basic constraint:
|
|
|
3f51ca |
|
|
|
3f51ca |
X509v3 Basic Constraints: critical
|
|
|
3f51ca |
CA:TRUE
|
|
|
3f51ca |
|
|
|
3f51ca |
Add a flag to certmonger::resubmit_request to specify that a
|
|
|
3f51ca |
CA is being requested.
|
|
|
3f51ca |
|
|
|
3f51ca |
Note that this also sets pathlen to -1 which means an unlimited
|
|
|
3f51ca |
pathlen. Leave it up to the issuing CA to set this.
|
|
|
3f51ca |
|
|
|
3f51ca |
https://pagure.io/freeipa/issue/7088
|
|
|
3f51ca |
|
|
|
3f51ca |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
3f51ca |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
3f51ca |
---
|
|
|
3f51ca |
ipalib/install/certmonger.py | 13 +++++++++++--
|
|
|
3f51ca |
ipaserver/install/ipa_cacert_manage.py | 3 ++-
|
|
|
3f51ca |
2 files changed, 13 insertions(+), 3 deletions(-)
|
|
|
3f51ca |
|
|
|
3f51ca |
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
|
|
|
3f51ca |
index c286996ee2318e241b4af190d1a01f42e28aa9f3..d2b782ddb0c746a3dfd96d0222bb31c6a960fdff 100644
|
|
|
3f51ca |
--- a/ipalib/install/certmonger.py
|
|
|
3f51ca |
+++ b/ipalib/install/certmonger.py
|
|
|
3f51ca |
@@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None):
|
|
|
3f51ca |
request.obj_if.modify(update)
|
|
|
3f51ca |
|
|
|
3f51ca |
|
|
|
3f51ca |
-def resubmit_request(request_id, ca=None, profile=None):
|
|
|
3f51ca |
+def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
|
|
|
3f51ca |
+ """
|
|
|
3f51ca |
+ :param request_id: the certmonger numeric request ID
|
|
|
3f51ca |
+ :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
|
|
|
3f51ca |
+ :param profile: the dogtag template profile to use, e.g. SubCA
|
|
|
3f51ca |
+ :param is_ca: boolean that if True adds the CA basic constraint
|
|
|
3f51ca |
+ """
|
|
|
3f51ca |
request = _get_request({'nickname': request_id})
|
|
|
3f51ca |
if request:
|
|
|
3f51ca |
- if ca or profile:
|
|
|
3f51ca |
+ if ca or profile or is_ca:
|
|
|
3f51ca |
update = {}
|
|
|
3f51ca |
if ca is not None:
|
|
|
3f51ca |
cm = _certmonger()
|
|
|
3f51ca |
update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
|
|
|
3f51ca |
if profile is not None:
|
|
|
3f51ca |
update['template-profile'] = profile
|
|
|
3f51ca |
+ if is_ca:
|
|
|
3f51ca |
+ update['template-is-ca'] = True
|
|
|
3f51ca |
+ update['template-ca-path-length'] = -1 # no path length
|
|
|
3f51ca |
request.obj_if.modify(update)
|
|
|
3f51ca |
request.obj_if.resubmit()
|
|
|
3f51ca |
|
|
|
3f51ca |
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
|
|
|
3f51ca |
index fcbf09155a3abc9ce9481aa2519ed39aaa6aa9bb..9607620d6c3e63b70b9e586f94282bf478c8c53e 100644
|
|
|
3f51ca |
--- a/ipaserver/install/ipa_cacert_manage.py
|
|
|
3f51ca |
+++ b/ipaserver/install/ipa_cacert_manage.py
|
|
|
3f51ca |
@@ -310,7 +310,8 @@ class CACertManage(admintool.AdminTool):
|
|
|
3f51ca |
timeout = api.env.startup_timeout + 60
|
|
|
3f51ca |
|
|
|
3f51ca |
self.log.debug("resubmitting certmonger request '%s'", self.request_id)
|
|
|
3f51ca |
- certmonger.resubmit_request(self.request_id, ca=ca, profile=profile)
|
|
|
3f51ca |
+ certmonger.resubmit_request(self.request_id, ca=ca, profile=profile,
|
|
|
3f51ca |
+ is_ca=True)
|
|
|
3f51ca |
try:
|
|
|
3f51ca |
state = certmonger.wait_for_request(self.request_id, timeout)
|
|
|
3f51ca |
except RuntimeError:
|
|
|
3f51ca |
--
|
|
|
3f51ca |
2.9.5
|
|
|
3f51ca |
|