[Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch

Christina Fu Wed, 31 Aug 2016 14:10:09 -0700

Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: makesubject_dn defaults unique per instance name (for shared HSM)


Please review.


thanks,

Christina

>From 1195ee9d6e45783d238edc1799363c21590febce Mon Sep 17 00:00:00 2001
From: Christina Fu <c...@dhcp-16-189.sjc.redhat.com>
Date: Wed, 31 Aug 2016 14:03:02 -0700
Subject: [PATCH] Ticket #2446 pkispawn: make subject_dn defaults unique per
 instance name (for shared HSM) When installing multiple instances on the same
 host sharing the same HSM, if subject_dn's are not specifically spelled out
 with unique names for each instance, installation will fail with complaints
 that same subject name and serial number already exist. This happens in the
 scenario if you are creating a subordinate CA, for example, that's in the
 same domain name as the root CA. It is very inconvenient that you are
 expected to spell out subject dn's of all system certs in the pkispawn config
 file. This patch changes default.cfg so that the instance name is in the
 default subject dn, e.g. adding it as an "ou" component:
 ou=%(pki_instance_name)s

---
 base/server/etc/default.cfg | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index f759dbac0df53ee6078027740e0aed5f107b22e7..31267ed88159e36e94e900c5fff103a2f2a2357d 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -124,13 +124,13 @@ pki_ssl_server_key_algorithm=SHA256withRSA
 pki_ssl_server_key_size=2048
 pki_ssl_server_key_type=rsa
 pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
-pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
+pki_ssl_server_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ssl_server_token=
 pki_subsystem_key_algorithm=SHA256withRSA
 pki_subsystem_key_size=2048
 pki_subsystem_key_type=rsa
 pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
-pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
+pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_subsystem_token=
 pki_theme_enable=True
 pki_theme_server_dir=/usr/share/pki/common-ui
@@ -292,7 +292,7 @@ pki_ca_signing_key_size=2048
 pki_ca_signing_key_type=rsa
 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
 pki_ca_signing_signing_algorithm=SHA256withRSA
-pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ca_signing_token=
 pki_ca_signing_csr_path=
 pki_ca_signing_cert_path=
@@ -316,7 +316,7 @@ pki_ocsp_signing_key_size=2048
 pki_ocsp_signing_key_type=rsa
 pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
 pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ocsp_signing_token=
 pki_profiles_in_ldap=False
 pki_random_serial_numbers_enable=False
@@ -326,10 +326,10 @@ pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_admin_uid=caadmin
 pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
-pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ds_base_dn=o=%(pki_instance_name)s-CA
 pki_ds_database=%(pki_instance_name)s-CA
 pki_ds_hostname=%(pki_hostname)s
@@ -404,22 +404,22 @@ pki_storage_key_size=2048
 pki_storage_key_type=rsa
 pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
 pki_storage_signing_algorithm=SHA256withRSA
-pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
+pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_storage_token=
 pki_transport_key_algorithm=SHA256withRSA
 pki_transport_key_size=2048
 pki_transport_key_type=rsa
 pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
 pki_transport_signing_algorithm=SHA256withRSA
-pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
+pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_transport_token=
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_admin_uid=kraadmin
 pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
-pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ds_base_dn=o=%(pki_instance_name)s-KRA
 pki_ds_database=%(pki_instance_name)s-KRA
 pki_ds_hostname=%(pki_hostname)s
@@ -473,15 +473,15 @@ pki_ocsp_signing_key_size=2048
 pki_ocsp_signing_key_type=rsa
 pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
 pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ocsp_signing_token=
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_admin_uid=ocspadmin
 pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
-pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
 pki_ds_database=%(pki_instance_name)s-OCSP
 pki_ds_hostname=%(pki_hostname)s
@@ -510,10 +510,10 @@ pki_import_admin_cert=True
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_admin_uid=tksadmin
 pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
-pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ds_base_dn=o=%(pki_instance_name)s-TKS
 pki_ds_database=%(pki_instance_name)s-TKS
 pki_ds_hostname=%(pki_hostname)s
@@ -532,10 +532,10 @@ pki_import_admin_cert=True
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_admin_uid=tpsadmin
 pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
-pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ds_base_dn=o=%(pki_instance_name)s-TPS
 pki_ds_database=%(pki_instance_name)s-TPS
 pki_ds_hostname=%(pki_hostname)s
-- 
2.7.4

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch

Reply via email to