Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install

The --ca-signing-algorithm option is available in ipa-server-install, make it available in ipa-ca-install as well. https://fedorahosted.org/freeipa/ticket/4447 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-10-08 12:18:06 +02:00
parent 3f9d1a71f1
commit cf860c7154
2 changed files with 12 additions and 2 deletions
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -72,6 +72,10 @@ def parse_options():
    parser.add_option("--external-cert-file", dest="external_cert_files",
                      action="append", metavar="FILE",
                      help="File containing the IPA CA certificate and the external CA certificate chain")
+    parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
+                      type="choice",
+                      choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+                      help="Signing algorithm of the IPA CA certificate")

    options, args = parser.parse_args()
    safe_options = parser.get_safe_opts(options)
@@ -309,18 +313,21 @@ def install_master(safe_options, options):
    ca.create_ra_agent_db = False
    if external == 0:
        ca.configure_instance(host_name, domain_name, dm_password,
-                              dm_password, subject_base=subject_base)
+                              dm_password, subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm)
    elif external == 1:
        ca.configure_instance(host_name, domain_name, dm_password,
                              dm_password, csr_file=paths.ROOT_IPA_CSR,
                              subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm,
                              ca_type=options.external_ca_type)
    else:
        ca.configure_instance(host_name, domain_name, dm_password,
                              dm_password,
                              cert_file=external_cert_file.name,
                              cert_chain_file=external_ca_file.name,
-                              subject_base=subject_base)
+                              subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm)

    ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)

--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -46,6 +46,9 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+.TP
 \fB\-\-no\-host\-dns\fR
 Do not use DNS for hostname lookup during installation
 .TP