When PROTOGENI is on, put in the url of the protogeni XMLRPC server.

account/mkusercert.in

@@ -294,6 +294,23 @@ system("cp -f $TEMPLATE usercert.cnf") == 0
 open(TEMP, ">>usercert.cnf")
     or fatal("Could not open $TEMPLATE for append: $!");
 
+if ($PGENISUPPORT) {
+    my $url = "@PROTOGENI_URL@/sa";
+    
+    # unregistered OID 2.25.305821105408246119474742976030998643995
+    # (corresponding to UUID e61300a0-c4c5-11de-b14e-0002a5d5c51b)
+    # is used to indicate generic ProtoGENI XMLRPC servers.
+    print TEMP
+	"authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$url\n";
+}
+
+print TEMP "\n";
+print TEMP "[ req_distinguished_name ]\n";
+print TEMP "C\t\t=@SSLCERT_COUNTRY@\n";
+print TEMP "ST\t\t=@SSLCERT_STATE@\n";
+print TEMP "L\t\t=@SSLCERT_LOCALITY@\n";
+print TEMP "O\t\t=@SSLCERT_ORGNAME@\n";
+
 if ($PGENISUPPORT && $encrypted) {
     print TEMP "OU\t\t= $PGENIDOMAIN.$user_uid\n";
 }
@@ -304,7 +321,7 @@ print TEMP "CN\t\t= $user_uuid\n";
 print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n";
 
 print TEMP "\n[ req_altname ]\nURI=urn:publicid:IDN+$OURDOMAIN" .
-    "+user+$user_uid\nemail=$user_uid" . "\@" . "$OURDOMAIN\n";
+    "+user+$user_uid\nemail=$user_uid" . "\@" . "$OURDOMAIN\n\n";
 
 close(TEMP)
     or fatal("Could not close usercert.cnf: $!");

ssl/usercert.cnf.in

@@ -7,15 +7,15 @@ default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 req_extensions	        = request_extensions
 string_mask             = nombstr
+oid_section		= protogeni_oids
+
+[ protogeni_oids ]
+xmlrpc = 2.25.305821105408246119474742976030998643995
 
 [ request_extensions ]
 basicConstraints=critical,CA:FALSE
 subjectKeyIdentifier=hash
 subjectAltName=@req_altname
 
+# Modifed for update 5.21
 # This will be appended to by mkusercert.
-[ req_distinguished_name ]
-C                      = @SSLCERT_COUNTRY@
-ST                     = @SSLCERT_STATE@
-L                      = @SSLCERT_LOCALITY@
-O                      = @SSLCERT_ORGNAME@