ipa-cacert-manage: add --external-ca-type

Add the `--external-ca-type`, as known from `ipa-server-install` and `ipa-ca-install`, to `ipa-cacert-manage`. This allows creating IPA CA CSRs suitable for use with Microsoft CS using `ipa-cacert-manage`: ``` ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs ``` https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-04-24 07:10:41 +00:00 · 2017-04-24 07:10:41 +00:00 · b03ede8796
commit b03ede8796
parent 21f4cbf8da
2 changed files with 20 additions and 4 deletions
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@ -78,6 +78,9 @@ Sign the renewed certificate by itself.
 \fB\-\-external\-ca\fR
 Sign the renewed certificate by external CA.
 .TP
+\fB\-\-external\-ca\-type\fR=\fITYPE\fR
+Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.
+.TP
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .RE
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@ -54,6 +54,12 @@ class CACertManage(admintool.AdminTool):
            "--self-signed", dest='self_signed',
            action='store_true',
            help="Sign the renewed certificate by itself")
+        ext_cas = ("generic", "ms-cs")
+        renew_group.add_option(
+            "--external-ca-type", dest="external_ca_type",
+            type="choice", choices=ext_cas,
+            metavar="{{{0}}}".format(",".join(ext_cas)),
+            help="Type of the external CA. Default: generic")
        renew_group.add_option(
            "--external-ca", dest='self_signed',
            action='store_false',
@ -179,7 +185,12 @@ class CACertManage(admintool.AdminTool):
    def renew_external_step_1(self, ca):
        print("Exporting CA certificate signing request, please wait")

-        self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse')
+        if self.options.external_ca_type == 'ms-cs':
+            profile = 'SubCA'
+        else:
+            profile = ''
+
+        self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse', profile)

        print(("The next step is to get %s signed by your CA and re-run "
              "ipa-cacert-manage as:" % paths.IPA_CA_CSR))
@ -286,11 +297,11 @@ class CACertManage(admintool.AdminTool):

        print("CA certificate successfully renewed")

-    def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent'):
+    def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent', profile=''):
        timeout = api.env.startup_timeout + 60

        self.log.debug("resubmitting certmonger request '%s'", self.request_id)
-        certmonger.resubmit_request(self.request_id, ca=ca, profile='')
+        certmonger.resubmit_request(self.request_id, ca=ca, profile=profile)
        try:
            state = certmonger.wait_for_request(self.request_id, timeout)
        except RuntimeError:
@ -304,7 +315,9 @@ class CACertManage(admintool.AdminTool):
                "please check the request manually" % self.request_id)

        self.log.debug("modifying certmonger request '%s'", self.request_id)
-        certmonger.modify(self.request_id, ca='dogtag-ipa-ca-renew-agent')
+        certmonger.modify(self.request_id,
+                          ca='dogtag-ipa-ca-renew-agent',
+                          profile='')

    def install(self):
        print("Installing CA certificate, please wait")