diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 04971b0f0cc..a182c6e94db 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -955,7 +955,9 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=org.mozilla.jss.netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caServerCertWithSCT,caECServerCertWithSCT,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.list=acmeServerCert,caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caServerCertWithSCT,caECServerCertWithSCT,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.acmeServerCert.class_id=caEnrollImpl +profile.acmeServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/acmeServerCert.cfg profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl diff --git a/base/ca/shared/profiles/acmeServerCert.cfg b/base/ca/shared/profiles/ca/acmeServerCert.cfg similarity index 100% rename from base/ca/shared/profiles/acmeServerCert.cfg rename to base/ca/shared/profiles/ca/acmeServerCert.cfg diff --git a/base/server/upgrade/10.9.0/02-AddACMEServerCertProfile.py b/base/server/upgrade/10.9.0/02-AddACMEServerCertProfile.py new file mode 100644 index 00000000000..bcf9838092f --- /dev/null +++ b/base/server/upgrade/10.9.0/02-AddACMEServerCertProfile.py @@ -0,0 +1,49 @@ +# Authors: +# Endi S. Dewata +# +# Copyright Red Hat, Inc. +# +# SPDX-License-Identifier: GPL-2.0-or-later + +from __future__ import absolute_import +import logging +import os + +import pki + +logger = logging.getLogger(__name__) + + +class AddACMEServerCertProfile(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(AddACMEServerCertProfile, self).__init__() + self.message = 'Add acmeServerCert profile' + + def upgrade_subsystem(self, instance, subsystem): + + if subsystem.name != 'ca': + return + + path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'acmeServerCert.cfg') + + if not os.path.exists(path): + logger.info('Creating acmeServerCert.cfg') + self.backup(path) + instance.copyfile('/usr/share/pki/ca/profiles/ca/acmeServerCert.cfg', path) + + logger.info('Adding acmeServerCert into profile.list') + profile_list = subsystem.config.get('profile.list').split(',') + if 'acmeServerCert' not in profile_list: + profile_list.append('acmeServerCert') + profile_list.sort() + subsystem.config['profile.list'] = ','.join(profile_list) + + logger.info('Adding profile.acmeServerCert.class_id') + subsystem.config['profile.acmeServerCert.class_id'] = 'caEnrollImpl' + + logger.info('Adding profile.acmeServerCert.config') + subsystem.config['profile.acmeServerCert.config'] = path + + self.backup(subsystem.cs_conf) + subsystem.save() diff --git a/docs/installation/Installing_ACME_Responder.md b/docs/installation/Installing_ACME_Responder.md index 1327a34016f..df65358937c 100644 --- a/docs/installation/Installing_ACME_Responder.md +++ b/docs/installation/Installing_ACME_Responder.md @@ -14,24 +14,6 @@ It assumes that the CA was [installed](Installing_CA.md) with the default instan * The API, configuration, or the database may change in the future. * There may be no easy upgrade path to the future version. -## Installing ACME Profile - -The acmeServerCert.cfg is a sample profile for generating server certificates via ACME responder. - -This profile is currently not installed by default in the CA, so it needs to be added and enabled manually. - -To add the profile, execute the following command: - -``` -$ pki -u caadmin -w Secret.123 ca-profile-add /usr/share/pki/ca/profiles/acmeServerCert.cfg --raw -``` - -To enable the profile, execute the following command: - -``` -$ pki -u caadmin -w Secret.123 ca-profile-enable acmeServerCert -``` - ## Installing ACME Responder To install the ACME responder on PKI server, execute the following command: