diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index ca909a005..715c35b08 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -172,7 +172,7 @@ def install_replica(safe_options, options, filename): options.domain_name = config.domain_name options.dm_password = config.dirman_password options.host_name = config.host_name - options.subject = config.subject_base + options.subject_base = config.subject_base if os.path.exists(cafile): options.ca_cert_file = cafile else: @@ -201,7 +201,7 @@ def install_master(safe_options, options): options.domain_name = api.env.domain options.dm_password = dm_password options.host_name = api.env.host - options.subject = subject_base + options.subject_base = subject_base ca.install_check(True, None, options) ca.install(True, None, options) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 2249e221c..07f772ad4 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -122,8 +122,8 @@ Name of the Kerberos KDC SSL certificate to install \fB\-\-ca\-cert\-file\fR=\fIFILE\fR File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files. .TP -\fB\-\-subject\fR=\fISUBJECT\fR -The certificate subject base (default O=REALM.NAME) +\fB\-\-subject\-base\fR=\fISUBJECT\fR +The subject base for certificates issued by IPA (default O=REALM.NAME) .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 56f6692c8..b5b2f2aaf 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -66,7 +66,7 @@ def install_check(standalone, replica_config, options): realm_name = options.realm_name host_name = options.host_name - subject_base = options.subject + subject_base = options.subject_base if replica_config is not None: if standalone and api.env.ra_plugin == 'selfsign': @@ -110,7 +110,7 @@ def install_check(standalone, replica_config, options): external_cert_file, external_ca_file = installutils.load_external_cert( options.external_cert_files, - DN(('CN', 'Certificate Authority'), options.subject) + DN(('CN', 'Certificate Authority'), options.subject_base) ) elif options.external_ca: if cainstance.is_step_one_done(): @@ -164,7 +164,7 @@ def install_step_0(standalone, replica_config, options): host_name = options.host_name if replica_config is None: - subject_base = options.subject + subject_base = options.subject_base ca_signing_algorithm = options.ca_signing_algorithm if options.external_ca: @@ -236,7 +236,7 @@ def install_step_1(standalone, replica_config, options): realm_name = options.realm_name host_name = options.host_name - subject_base = options.subject + subject_base = options.subject_base basedn = ipautil.realm_to_suffix(realm_name) @@ -379,14 +379,15 @@ class CAInstallInterface(dogtag.DogtagInstallInterface, if any(not os.path.isabs(path) for path in value): raise ValueError("must use an absolute path") - subject = knob( + subject_base = knob( str, None, description="The certificate subject base (default O=)", + cli_deprecated_names=['--subject'], ) - subject = master_install_only(subject) + subject_base = master_install_only(subject_base) - @subject.validator - def subject(self, value): + @subject_base.validator + def subject_base(self, value): v = unicode(value, 'utf-8') if any(ord(c) < 0x20 for c in v): raise ValueError("must not contain control characters") diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 36bbb4b49..6b13bec6c 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -464,8 +464,8 @@ def install_check(installer): else: realm_name = options.realm_name.upper() - if not options.subject: - options.subject = DN(('O', realm_name)) + if not options.subject_base: + options.subject_base = DN(('O', realm_name)) if options.http_cert_files: if options.http_pin is None: @@ -725,7 +725,7 @@ def install(installer): ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, - subject_base=options.subject, + subject_base=options.subject_base, hbac_allow=not options.no_hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, @@ -735,7 +735,7 @@ def install(installer): ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, - subject_base=options.subject, + subject_base=options.subject_base, hbac_allow=not options.no_hbac_allow) ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name) @@ -747,7 +747,7 @@ def install(installer): installer._ds = ds ds.init_info( realm_name, host_name, domain_name, dm_password, - options.subject, 1101, 1100, None) + options.subject_base, 1101, 1100, None) if setup_ca: if not options.external_cert_files and options.external_ca: @@ -781,7 +781,7 @@ def install(installer): dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, - subject_base=options.subject) + subject_base=options.subject_base) # restart DS to enable ipa-pwd-extop plugin print("Restarting directory server to enable password extension plugin") @@ -811,13 +811,13 @@ def install(installer): if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, - pkcs12_info=http_pkcs12_info, subject_base=options.subject, + pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, - subject_base=options.subject, + subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) tasks.restore_context(paths.CACHE_IPA_SESSIONS) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 212616908..915281d78 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -796,7 +796,7 @@ def install_check(installer): if ca_enabled: options.realm_name = config.realm_name options.host_name = config.host_name - options.subject = config.subject_base + options.subject_base = config.subject_base ca.install_check(False, config, options) if kra_enabled: @@ -1203,7 +1203,7 @@ def promote_check(installer): if ca_enabled: options.realm_name = config.realm_name options.host_name = config.host_name - options.subject = config.subject_base + options.subject_base = config.subject_base ca.install_check(False, config, options) if kra_enabled: