diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-08-05 09:06:39 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-09-05 13:59:04 +0200 |
commit | 6ad8c464a43260f8f58dc262f841c35be35b57b5 (patch) | |
tree | d596fb119f94b21a2c01c839a0659b74a4aacf6f /install/tools/ipa-server-install | |
parent | 418ce870bfbe13cea694a7b862cafe35c703f660 (diff) | |
download | freeipa-6ad8c464a43260f8f58dc262f841c35be35b57b5.tar.gz freeipa-6ad8c464a43260f8f58dc262f841c35be35b57b5.tar.xz freeipa-6ad8c464a43260f8f58dc262f841c35be35b57b5.zip |
Make CA-less ipa-server-install option --root-ca-file optional.
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.
Document --root-ca-file in ipa-server-install man page.
https://fedorahosted.org/freeipa/ticket/4457
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/tools/ipa-server-install')
-rwxr-xr-x | install/tools/ipa-server-install | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6e77b434a..c81914951 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -69,7 +69,7 @@ from ipapython import sysrestore from ipapython.ipautil import * from ipapython import ipautil from ipapython import dogtag -from ipalib import api, errors, util +from ipalib import api, errors, util, x509 from ipapython.config import IPAOptionParser from ipalib.util import validate_domain_name from ipalib.constants import CACERT @@ -223,7 +223,7 @@ def parse_options(): cert_group.add_option("--pkinit_pin", dest="pkinit_pin", help="The password of the Kerberos KDC PKCS#12 file") cert_group.add_option("--root-ca-file", dest="root_ca_file", - help="PEM file with root CA certificate(s) to trust") + help="PEM file containing the CA certificate for the PKCS#12 files") cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") @@ -316,10 +316,6 @@ def parse_options(): if options.pkinit_pkcs12 and options.pkinit_pin is None: parser.error("You must specify --pkinit_pin with --pkinit_pkcs12") - if options.dirsrv_pkcs12 and not options.root_ca_file: - parser.error( - "--root-ca-file must be given with the PKCS#12 options.") - if (options.external_cert_file or options.external_ca_file) and options.dirsrv_pkcs12: parser.error( "PKCS#12 options cannot be used with the external CA options.") @@ -920,7 +916,7 @@ def main(): if options.http_pin is None: sys.exit("%s unlock password required" % options.http_pkcs12) http_pkcs12_info = (options.http_pkcs12, options.http_pin) - http_cert_name = installutils.check_pkcs12( + http_ca_cert = installutils.check_pkcs12( http_pkcs12_info, ca_file, host_name) if options.dirsrv_pkcs12: @@ -931,7 +927,7 @@ def main(): if options.dirsrv_pin is None: sys.exit("%s unlock password required" % options.dirsrv_pkcs12) dirsrv_pkcs12_info = (options.dirsrv_pkcs12, options.dirsrv_pin) - dirsrv_cert_name = installutils.check_pkcs12( + dirsrv_ca_cert = installutils.check_pkcs12( dirsrv_pkcs12_info, ca_file, host_name) if options.pkinit_pkcs12: @@ -943,6 +939,11 @@ def main(): sys.exit("%s unlock password required" % options.pkinit_pkcs12) pkinit_pkcs12_info = (options.pkinit_pkcs12, options.pkinit_pin) + if (options.http_pkcs12 and options.dirsrv_pkcs12 and + http_ca_cert != dirsrv_ca_cert): + sys.exit("%s and %s are not signed by the same CA certificate" % + (options.http_pkcs12, options.dirsrv_pkcs12)) + if not options.dm_password: dm_password = read_dm_password() @@ -1073,8 +1074,7 @@ def main(): ntp.create_instance() if options.dirsrv_pkcs12: - ds = dsinstance.DsInstance(fstore=fstore, - cert_nickname=dirsrv_cert_name) + ds = dsinstance.DsInstance(fstore=fstore) ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, @@ -1128,7 +1128,7 @@ def main(): ca.publish_ca_cert(CACERT) else: # Put the CA cert where other instances expect it - shutil.copy(options.root_ca_file, CACERT) + x509.write_certificate(http_ca_cert, CACERT) os.chmod(CACERT, 0444) # we now need to enable ssl on the ds |