|
 |
b38368 |
From bf0a34b06e4a44b71b5a9b5f7b7537d3d99e0441 Mon Sep 17 00:00:00 2001
|
|
|
b38368 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
b38368 |
Date: Wed, 7 Jun 2017 19:41:26 +1000
|
|
|
b38368 |
Subject: [PATCH] Add CommonNameToSANDefault to default cert profile
|
|
|
b38368 |
|
|
|
b38368 |
The CommonNameToSANDefault component was added to Dogtag 10.4. When
|
|
|
b38368 |
a profile is configured to use it, this profile copies the CN in the
|
|
|
b38368 |
certificate to the Subject Alternative Name extension as a dNSName
|
|
|
b38368 |
(if and only if it does look like a DNS name).
|
|
|
b38368 |
|
|
|
b38368 |
It is desirable that the default service profile use this component.
|
|
|
b38368 |
Add it to the default profile, for new installations only. For
|
|
|
b38368 |
existing installations, until a proper profile update mechanism is
|
|
|
b38368 |
implemented, administrators who wish to use it must configure it via
|
|
|
b38368 |
the 'certprofile-mod' command.
|
|
|
b38368 |
|
|
|
b38368 |
Fixes: https://pagure.io/freeipa/issue/7007
|
|
|
b38368 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
b38368 |
---
|
|
|
b38368 |
freeipa.spec.in | 4 ++--
|
|
|
b38368 |
install/share/profiles/caIPAserviceCert.cfg | 6 +++++-
|
|
|
b38368 |
2 files changed, 7 insertions(+), 3 deletions(-)
|
|
|
b38368 |
|
|
|
b38368 |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
b38368 |
index d7f8d11ec553cfe299937e1e5f8cc27caed32b08..721e512039a4d7f9d2ed94d7620b083732c56304 100644
|
|
|
b38368 |
--- a/freeipa.spec.in
|
|
|
b38368 |
+++ b/freeipa.spec.in
|
|
|
b38368 |
@@ -291,8 +291,8 @@ Requires(post): systemd-units
|
|
|
b38368 |
Requires: selinux-policy >= %{selinux_policy_version}
|
|
|
b38368 |
Requires(post): selinux-policy-base >= %{selinux_policy_version}
|
|
|
b38368 |
Requires: slapi-nis >= %{slapi_nis_version}
|
|
|
b38368 |
-Requires: pki-ca >= 10.3.5-11
|
|
|
b38368 |
-Requires: pki-kra >= 10.3.5-11
|
|
|
b38368 |
+Requires: pki-ca >= 10.4.0-1
|
|
|
b38368 |
+Requires: pki-kra >= 10.4.0-1
|
|
|
b38368 |
Requires(preun): python systemd-units
|
|
|
b38368 |
Requires(postun): python systemd-units
|
|
|
b38368 |
Requires: policycoreutils >= 2.1.12-5
|
|
|
b38368 |
diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg
|
|
|
b38368 |
index 6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c..3bec9ed10c7c053a67271de52dd95e71fe1fb6b8 100644
|
|
|
b38368 |
--- a/install/share/profiles/caIPAserviceCert.cfg
|
|
|
b38368 |
+++ b/install/share/profiles/caIPAserviceCert.cfg
|
|
|
b38368 |
@@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl
|
|
|
b38368 |
output.list=o1
|
|
|
b38368 |
output.o1.class_id=certOutputImpl
|
|
|
b38368 |
policyset.list=serverCertSet
|
|
|
b38368 |
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
|
|
|
b38368 |
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
|
|
|
b38368 |
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
b38368 |
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
|
|
|
b38368 |
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
|
|
|
b38368 |
@@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint
|
|
|
b38368 |
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
|
|
|
b38368 |
policyset.serverCertSet.11.default.name=User Supplied Extension Default
|
|
|
b38368 |
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
|
|
|
b38368 |
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.12.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
|
|
|
b38368 |
--
|
|
|
b38368 |
2.9.4
|
|
|
b38368 |
|