Convert external CA chain to PKCS#7 before passing it to pkispawn.

https://fedorahosted.org/freeipa/ticket/4397

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
Jan Cholasta 2014-08-08 10:15:26 +02:00 committed by Petr Viktorin
parent 4b5a488249
commit 359dfe58b9
3 changed files with 22 additions and 7 deletions

View File

@ -202,11 +202,11 @@ def parse_options():
cert_group = OptionGroup(parser, "certificate system options")
cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
help="PEM file containing a certificate signed by the external CA")
help="File containing the IPA CA certificate signed by the external CA in PEM format")
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
help="PEM file containing the external CA chain")
help="File containing the external CA certificate chain in PEM format")
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",

View File

@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
\fB\-\-external\-ca\fR
Generate a CSR to be signed by an external CA
Generate a CSR for the IPA CA certificate to be signed by an external CA.
.TP
\fB\-\-external_cert_file\fR=\fIFILE\fR
PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
.TP
\fB\-\-external_ca_file\fR=\fIFILE\fR
PEM file containing the external CA chain
File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps

View File

@ -590,9 +590,20 @@ class CAInstance(service.Service):
config.set("CA", "pki_external_csr_path", self.csr_file)
elif self.external == 2:
cert_chain, stderr, rc = ipautil.run(
[paths.OPENSSL, 'crl2pkcs7',
'-certfile', self.cert_chain_file,
'-nocrl'])
# Dogtag chokes on the header and footer, remove them
# https://bugzilla.redhat.com/show_bug.cgi?id=1127838
cert_chain = re.search(
r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
cert_chain, re.DOTALL).group(0)
cert_chain_file = ipautil.write_tmp_file(cert_chain)
config.set("CA", "pki_external", "True")
config.set("CA", "pki_external_ca_cert_path", self.cert_file)
config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
config.set("CA", "pki_external_step_two", "True")
# Generate configuration file