diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-08-08 10:15:26 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-08-14 10:06:27 +0200 |
| commit | 359dfe58b94079e1e16f4fb8960eb29b251f2cbc (patch) | |
| tree | 569c616911574f8a9566c197a80ca064aab87033 /ipaserver | |
| parent | 4b5a4882497ce7c3ecdf8f898fc695b2309df1b5 (diff) | |
| download | freeipa-359dfe58b94079e1e16f4fb8960eb29b251f2cbc.tar.gz freeipa-359dfe58b94079e1e16f4fb8960eb29b251f2cbc.tar.xz freeipa-359dfe58b94079e1e16f4fb8960eb29b251f2cbc.zip | |
Convert external CA chain to PKCS#7 before passing it to pkispawn.
https://fedorahosted.org/freeipa/ticket/4397
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b64588c0f..2a8ecc00c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -590,9 +590,20 @@ class CAInstance(service.Service): config.set("CA", "pki_external_csr_path", self.csr_file) elif self.external == 2: + cert_chain, stderr, rc = ipautil.run( + [paths.OPENSSL, 'crl2pkcs7', + '-certfile', self.cert_chain_file, + '-nocrl']) + # Dogtag chokes on the header and footer, remove them + # https://bugzilla.redhat.com/show_bug.cgi?id=1127838 + cert_chain = re.search( + r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)', + cert_chain, re.DOTALL).group(0) + cert_chain_file = ipautil.write_tmp_file(cert_chain) + config.set("CA", "pki_external", "True") config.set("CA", "pki_external_ca_cert_path", self.cert_file) - config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file) + config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") # Generate configuration file |