From d7e1ab8438b02db9250b0985be29ac3325c2d2dc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jun 15 2017 11:55:09 +0000 Subject: Add a README to certificate profile templates directory There have been several instances of people using the profile configuration template files as actual profile configurations, resulting in failures and support load. Add a README to the profile template directory to explain that these files should not be used and advise of the recommend procedure. Fixes: https://pagure.io/freeipa/issue/7014 Reviewed-By: Martin Basti --- diff --git a/freeipa.spec.in b/freeipa.spec.in index 0f2a5a9..72f79c9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1306,6 +1306,7 @@ fi %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/README %{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/html %{_usr}/share/ipa/html/ffconfig.js diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am index 640ca0a..37496cb 100644 --- a/install/share/profiles/Makefile.am +++ b/install/share/profiles/Makefile.am @@ -2,6 +2,7 @@ NULL = appdir = $(IPA_DATA_DIR)/profiles app_DATA = \ + README \ caIPAserviceCert.cfg \ IECUserRoles.cfg \ KDCs_PKINIT_Certs.cfg \ diff --git a/install/share/profiles/README b/install/share/profiles/README new file mode 100644 index 0000000..cc3c25d --- /dev/null +++ b/install/share/profiles/README @@ -0,0 +1,20 @@ +This directory contains profile TEMPLATES for certificate profiles +included in FreeIPA. Do not import these files or modifications +thereof - it is likely that Dogtag will accept the configuration, +but certificate issuance will fail with the updated configuration. +At best, it will not give you the certificates you want. + +If you want to modify a profile configuration or create a new +profile based on an existing profile configuration, you should +export the current profile configuration with the command: + + ipa certprofile-show --out FILENAME PROFILE_NAME + +After modifying the configuration, update the profile configuration: + + ipa certprofile-mod --file FILENAME PROFILE_NAME + +Or if you are creating a new profile: + + ipa certprofile-import --desc DESC --store 1 \ + --file FILENAME NEW_PROFILE_NAME