Support MS CS as the external CA in ipa-server-install and ipa-ca-install

Added a new option --external-ca-type which specifies the type of the external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs" is selected, the CSR generated for the IPA CA will include MS template name extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA". https://fedorahosted.org/freeipa/ticket/4496 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-10-08 10:51:31 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-10-13 12:18:09 +0200
commit: 4cdeacdedfe344e570da99548043a07a6fa24dbe (patch)
tree: 3e1316b61f7da81a9241c25fcbfa0a5ace37a4f8 /install
parent: 9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 (diff)
download: freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.gz
freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.xz
freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.zip
4 files changed, 27 insertions, 2 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index bd30b27ae..a5c3ad9a6 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -66,6 +66,9 @@ def parse_options():
                       default=False, help="unattended installation never prompts the user")
     parser.add_option("--external-ca", dest="external_ca", action="store_true",
                       default=False, help="Generate a CSR to be signed by an external CA")
+    parser.add_option("--external-ca-type", dest="external_ca_type",
+                      type="choice", choices=("generic", "ms-cs"),
+                      help="Type of the external CA")
     parser.add_option("--external-cert-file", dest="external_cert_files",
                       action="append", metavar="FILE",
                       help="File containing the IPA CA certificate and the external CA certificate chain")
@@ -87,6 +90,10 @@ def parse_options():
                 parser.error("You cannot specify --external-cert-file "
                              "together with --external-ca")
 
+        if options.external_ca_type and not options.external_ca:
+            parser.error(
+                "You cannot specify --external-ca-type without --external-ca")
+
     return safe_options, options, filename
 
 
@@ -306,7 +313,8 @@ def install_master(safe_options, options):
     elif external == 1:
         ca.configure_instance(host_name, domain_name, dm_password,
                               dm_password, csr_file=paths.ROOT_IPA_CSR,
-                              subject_base=subject_base)
+                              subject_base=subject_base,
+                              ca_type=options.external_ca_type)
     else:
         ca.configure_instance(host_name, domain_name, dm_password,
                               dm_password,
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index ffff20a27..39c13547c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -204,6 +204,9 @@ def parse_options():
     cert_group = OptionGroup(parser, "certificate system options")
     cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
                       default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
+    cert_group.add_option("--external-ca-type", dest="external_ca_type",
+                      type="choice", choices=("generic", "ms-cs"),
+                      help="Type of the external CA")
     cert_group.add_option("--external-cert-file", dest="external_cert_files",
                       action="append", metavar="FILE",
                       help="File containing the IPA CA certificate and the external CA certificate chain")
@@ -375,6 +378,10 @@ def parse_options():
             parser.error("You cannot specify service certificate file options "
                          "together with --external-ca")
 
+    if options.external_ca_type and not options.external_ca:
+        parser.error(
+            "You cannot specify --external-ca-type without --external-ca")
+
     if (options.external_cert_files and
         any(not os.path.isabs(path) for path in options.external_cert_files)):
         parser.error("--external-cert-file must use an absolute path")
@@ -1164,7 +1171,8 @@ def main():
             ca.configure_instance(host_name, domain_name, dm_password,
                                   dm_password, csr_file=paths.ROOT_IPA_CSR,
                                   subject_base=options.subject,
-                                  ca_signing_algorithm=options.ca_signing_algorithm)
+                                  ca_signing_algorithm=options.ca_signing_algorithm,
+                                  ca_type=options.external_ca_type)
         else:
             # stage 2 of external CA installation
             ca.configure_instance(host_name, domain_name, dm_password,
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index 8f7201c20..ba31a289c 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -37,6 +37,12 @@ Directory Manager (existing master) password
 \fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
 Admin user Kerberos password used for connection check
 .TP
+\fB\-\-external\-ca\fR
+Generate a CSR for the IPA CA certificate to be signed by an external CA.
+.TP
+\fB\-\-external\-ca\-type\fR=\fITYPE\fR
+Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.
+.TP
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 582108e6f..e5c9c319b 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -87,6 +87,9 @@ An unattended installation that will never prompt for user input
 \fB\-\-external\-ca\fR
 Generate a CSR for the IPA CA certificate to be signed by an external CA.
 .TP
+\fB\-\-external\-ca\-type\fR=\fITYPE\fR
+Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.
+.TP
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
author	Jan Cholasta <jcholast@redhat.com>	2014-10-08 10:51:31 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-10-13 12:18:09 +0200
commit	4cdeacdedfe344e570da99548043a07a6fa24dbe (patch)
tree	3e1316b61f7da81a9241c25fcbfa0a5ace37a4f8 /install
parent	9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 (diff)
download	freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.gz freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.xz freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.zip