From fc7c684b122cbcf1ff31c0ee45551388abb588fc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 25 Jul 2017 17:03:36 +1000 Subject: [PATCH] ipa-ca-install: add --external-ca-profile option Fixes: https://pagure.io/freeipa/issue/6858 Reviewed-By: Florence Blanc-Renaud --- install/tools/ipa-ca-install | 10 ++++++++++ install/tools/man/ipa-ca-install.1 | 21 ++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 457949289..3bdd7634d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -69,6 +69,11 @@ def parse_options(): type="choice", choices=ext_cas, metavar="{{{0}}}".format(",".join(ext_cas)), help="Type of the external CA. Default: generic") + parser.add_option("--external-ca-profile", dest="external_ca_profile", + type='constructor', constructor=cainstance.ExternalCAProfile, + default=None, metavar="PROFILE-SPEC", + help="Specify the certificate profile/template to use " + "at the external CA") parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") @@ -116,6 +121,11 @@ def parse_options(): parser.error( "You cannot specify --external-ca-type without --external-ca") + if options.external_ca_profile and not options.external_ca: + parser.error( + "You cannot specify --external-ca-profile " + "without --external-ca") + return safe_options, options, filename diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 79703a47c..99ff91878 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -48,7 +48,26 @@ Admin user Kerberos password used for connection check Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP \fB\-\-external\-ca\-type\fR=\fITYPE\fR -Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR. +Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details). + +.TP +\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR +Specify the certificate profile or template to use at the external CA. + +When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used: + +.RS +.TP +\fB:[:]\fR +Specify a certificate template by OID and major version, optionally also specifying minor version. +.TP +\fB\fR +Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence). +.TP +\fBdefault\fR +If no template is specified, the template name "SubCA" is used. +.RE + .TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.