install: fix --external-ca-profile option

Commit dd47cfc75a removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).

Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini.  This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it).  It also allows users to
override the pki_req_ext_* settings.

Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Fraser Tweedale 2019-07-12 13:13:02 +10:00 committed by Alexander Bokovoy
parent 130e1dc343
commit 21a9a7107a
2 changed files with 0 additions and 6 deletions

View File

@ -93,11 +93,6 @@ pki_ca_signing_key_type=%(ipa_ca_key_type)s
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_token=%(pki_token_name)s pki_ca_signing_token=%(pki_token_name)s
# MS subca request ext data
pki_req_ext_oid=1.3.6.1.4.1.311.20.2
pki_req_ext_critical=False
pki_req_ext_data=1E0A00530075006200430041
## ocspSigningCert cert-pki-ca ## ocspSigningCert cert-pki-ca
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
pki_ocsp_signing_key_size=%(ipa_key_size)s pki_ocsp_signing_key_size=%(ipa_key_size)s

View File

@ -115,7 +115,6 @@ pki_ca_starting_crl_number=0
pki_external=False pki_external=False
pki_external_step_two=False pki_external_step_two=False
pki_req_ext_add=False
pki_external_pkcs12_path=%(pki_pkcs12_path)s pki_external_pkcs12_path=%(pki_pkcs12_path)s
pki_external_pkcs12_password=%(pki_pkcs12_password)s pki_external_pkcs12_password=%(pki_pkcs12_password)s