mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Convert external CA chain to PKCS#7 before passing it to pkispawn.
https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
parent
4b5a488249
commit
359dfe58b9
@ -202,11 +202,11 @@ def parse_options():
|
||||
|
||||
cert_group = OptionGroup(parser, "certificate system options")
|
||||
cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
|
||||
default=False, help="Generate a CSR to be signed by an external CA")
|
||||
default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
|
||||
cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
|
||||
help="PEM file containing a certificate signed by the external CA")
|
||||
help="File containing the IPA CA certificate signed by the external CA in PEM format")
|
||||
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
|
||||
help="PEM file containing the external CA chain")
|
||||
help="File containing the external CA certificate chain in PEM format")
|
||||
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
||||
default=True, help="disables pkinit setup steps")
|
||||
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
|
||||
|
@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
|
||||
.SS "CERTIFICATE SYSTEM OPTIONS"
|
||||
.TP
|
||||
\fB\-\-external\-ca\fR
|
||||
Generate a CSR to be signed by an external CA
|
||||
Generate a CSR for the IPA CA certificate to be signed by an external CA.
|
||||
.TP
|
||||
\fB\-\-external_cert_file\fR=\fIFILE\fR
|
||||
PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
|
||||
File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
|
||||
.TP
|
||||
\fB\-\-external_ca_file\fR=\fIFILE\fR
|
||||
PEM file containing the external CA chain
|
||||
File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
|
||||
|
||||
If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
|
||||
|
||||
openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
|
||||
.TP
|
||||
\fB\-\-no\-pkinit\fR
|
||||
Disables pkinit setup steps
|
||||
|
@ -590,9 +590,20 @@ class CAInstance(service.Service):
|
||||
config.set("CA", "pki_external_csr_path", self.csr_file)
|
||||
|
||||
elif self.external == 2:
|
||||
cert_chain, stderr, rc = ipautil.run(
|
||||
[paths.OPENSSL, 'crl2pkcs7',
|
||||
'-certfile', self.cert_chain_file,
|
||||
'-nocrl'])
|
||||
# Dogtag chokes on the header and footer, remove them
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1127838
|
||||
cert_chain = re.search(
|
||||
r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
|
||||
cert_chain, re.DOTALL).group(0)
|
||||
cert_chain_file = ipautil.write_tmp_file(cert_chain)
|
||||
|
||||
config.set("CA", "pki_external", "True")
|
||||
config.set("CA", "pki_external_ca_cert_path", self.cert_file)
|
||||
config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
|
||||
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
|
||||
config.set("CA", "pki_external_step_two", "True")
|
||||
|
||||
# Generate configuration file
|
||||
|
Loading…
Reference in New Issue
Block a user