Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.

This is especially useful for external CA install, as the algorithm is also used for the CSR signature. https://fedorahosted.org/freeipa/ticket/4447 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-08-06 09:43:19 +02:00
parent b69510b9bf
commit 081580779b
3 changed files with 23 additions and 5 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -226,6 +226,10 @@ def parse_options():
    cert_group.add_option("--subject", action="callback", callback=subject_callback,
                      type="string",
                      help="The certificate subject base (default O=<realm-name>)")
+    cert_group.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
+                      type="choice",
+                      choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+                      help="Signing algorithm of the IPA CA certificate")
    parser.add_option_group(cert_group)

    dns_group = OptionGroup(parser, "DNS options")
@@ -1075,7 +1079,8 @@ def main():
            dogtag_constants=dogtag.install_constants)
        if external == 0:
            ca.configure_instance(host_name, domain_name, dm_password,
-                                  dm_password, subject_base=options.subject)
+                                  dm_password, subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
        elif external == 1:
            # stage 1 of external CA installation
            options.realm_name = realm_name
@@ -1090,14 +1095,16 @@ def main():
            write_cache(vars(options))
            ca.configure_instance(host_name, domain_name, dm_password,
                                  dm_password, csr_file=paths.ROOT_IPA_CSR,
-                                  subject_base=options.subject)
+                                  subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
        else:
            # stage 2 of external CA installation
            ca.configure_instance(host_name, domain_name, dm_password,
                                  dm_password,
                                  cert_file=options.external_cert_file,
                                  cert_chain_file=options.external_ca_file,
-                                  subject_base=options.subject)
+                                  subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)

        # Now put the CA cert where other instances exepct it
        ca.publish_ca_cert(CACERT)
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -123,6 +123,9 @@ PEM file containing the CA certificate of the CA which issued the Directory Serv
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
 The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.

 .SS "DNS OPTIONS"
 .TP
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -420,7 +420,7 @@ class CAInstance(service.Service):
                           pkcs12_info=None, master_host=None, csr_file=None,
                           cert_file=None, cert_chain_file=None,
                           master_replication_port=None,
-                           subject_base=None):
+                           subject_base=None, ca_signing_algorithm=None):
        """Create a CA instance.

           For Dogtag 9, this may involve creating the pki-ca instance.
@@ -446,6 +446,10 @@ class CAInstance(service.Service):
            self.subject_base = DN(('O', self.realm))
        else:
            self.subject_base = subject_base
+        if ca_signing_algorithm is None:
+            self.ca_signing_algorithm = 'SHA256withRSA'
+        else:
+            self.ca_signing_algorithm = ca_signing_algorithm

        # Determine if we are installing as an externally-signed CA and
        # what stage we're in.
@@ -573,6 +577,9 @@ class CAInstance(service.Service):
        config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
        config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")

+        # CA key algorithm
+        config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
+
        if (self.clone):
            cafile = self.pkcs12_info[0]
            shutil.copy(cafile, paths.TMP_CA_P12)
@@ -720,7 +727,8 @@ class CAInstance(service.Service):
                    "-db_name", "ipaca",
                    "-key_size", "2048",
                    "-key_type", "rsa",
-                    "-key_algorithm", "SHA256withRSA",
+                    "-key_algorithm", self.ca_signing_algorithm,
+                    "-signing_algorithm", "SHA256withRSA",
                    "-save_p12", "true",
                    "-backup_pwd", self.admin_password,
                    "-subsystem_name", self.service_name,