diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-08-06 09:43:19 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-29 13:40:57 +0200 |
| commit | f8f3d5868820136422c63f80540f1e1ff5387861 (patch) | |
| tree | 2b053e815610f4038855b5fe1f4cfbd9057462d3 /install | |
| parent | cd9a4cca1fe17998a342fde000ece5bf46d13d27 (diff) | |
| download | freeipa-f8f3d5868820136422c63f80540f1e1ff5387861.tar.gz freeipa-f8f3d5868820136422c63f80540f1e1ff5387861.tar.xz freeipa-f8f3d5868820136422c63f80540f1e1ff5387861.zip | |
Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install')
| -rwxr-xr-x | install/tools/ipa-server-install | 13 | ||||
| -rw-r--r-- | install/tools/man/ipa-server-install.1 | 3 |
2 files changed, 13 insertions, 3 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 533023f2e..e73a098df 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -227,6 +227,10 @@ def parse_options(): cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") + cert_group.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm", + type="choice", + choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), + help="Signing algorithm of the IPA CA certificate") parser.add_option_group(cert_group) dns_group = OptionGroup(parser, "DNS options") @@ -1093,7 +1097,8 @@ def main(): dogtag_constants=dogtag.install_constants) if external == 0: ca.configure_instance(host_name, domain_name, dm_password, - dm_password, subject_base=options.subject) + dm_password, subject_base=options.subject, + ca_signing_algorithm=options.ca_signing_algorithm) elif external == 1: # stage 1 of external CA installation options.realm_name = realm_name @@ -1108,14 +1113,16 @@ def main(): write_cache(vars(options)) ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=options.subject) + subject_base=options.subject, + ca_signing_algorithm=options.ca_signing_algorithm) else: # stage 2 of external CA installation ca.configure_instance(host_name, domain_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, - subject_base=options.subject) + subject_base=options.subject, + ca_signing_algorithm=options.ca_signing_algorithm) # Now put the CA cert where other instances exepct it ca.publish_ca_cert(CACERT) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 8cc2ffa45..ecea26db1 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -123,6 +123,9 @@ PEM file containing the CA certificate of the CA which issued the Directory Serv .TP \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=REALM.NAME) +.TP +\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .SS "DNS OPTIONS" .TP |