Skip to content

add ca_subject option

Patrick Brideau requested to merge teluq-pbrideau/puppet-freeipa:feat/ca_subject into master

As mentioned in #95 (closed), I want to be able to change the default CA Subject

openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Certificate Authority

with this change:

$realm = 'TEST.EXAMPLE.COM'
class { 'freeipa' :
  [...]
  ca_subject => "CN=Secondary Certificate Authority,O=${realm}"
}
openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Secondary Certificate Authority

As mentioned in the ipa-server-install --help:

    --ca-subject=CA_SUBJECT                                                                              
                        The CA certificate subject DN (default CN=Certificate                            
                        Authority,O=<realm-name>). RDNs are in LDAP order                                
                        (most specific RDN first).

There is no option --ca-subject in ipa-replica-install --help, so I guess you can’t set it, but I don’t have a setup to test it, so I do not know what is the exact behavior when creating a replica using with the --setup-ca option.

Also, the test for --ca-subject is quite hard to do for this, as it imply running openssl x509 as shown, so would only be possible to run in acceptance, and even so quite hard to run I think. Therefore I did not add any. If you think it should be done at all cost, I’m not sure how I would proceed…

Merge request reports