Normalize external CA cert before passing it to pkispawn

https://fedorahosted.org/freeipa/ticket/4019 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-08-29 13:35:45 +0200
committer: Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> 2014-09-04 12:13:11 +0200
commit: 93346b1cf9ffae5afdd9bb71684f22922dbc8ea4 (patch)
tree: 3d106fdc0aa430028a579e516b255f234d4b234e /ipaserver
parent: 8aa01e24a1664f5f523732f79ae8d842fb4417a8 (diff)
download: freeipa-93346b1cf9ffae5afdd9bb71684f22922dbc8ea4.tar.gz
freeipa-93346b1cf9ffae5afdd9bb71684f22922dbc8ea4.tar.xz
freeipa-93346b1cf9ffae5afdd9bb71684f22922dbc8ea4.zip
1 files changed, 12 insertions, 2 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index e8bb7d701..36a1db060 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -534,6 +534,11 @@ class CAInstance(DogtagInstance):
             config.set("CA", "pki_external_csr_path", self.csr_file)
 
         elif self.external == 2:
+            cert = x509.load_certificate_from_file(self.cert_file)
+            cert_file = tempfile.NamedTemporaryFile()
+            x509.write_certificate(cert.der_data, cert_file.name)
+            cert_file.flush()
+
             cert_chain, stderr, rc = ipautil.run(
                 [paths.OPENSSL, 'crl2pkcs7',
                  '-certfile', self.cert_chain_file,
@@ -546,7 +551,7 @@ class CAInstance(DogtagInstance):
             cert_chain_file = ipautil.write_tmp_file(cert_chain)
 
             config.set("CA", "pki_external", "True")
-            config.set("CA", "pki_external_ca_cert_path", self.cert_file)
+            config.set("CA", "pki_external_ca_cert_path", cert_file.name)
             config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
             config.set("CA", "pki_external_step_two", "True")
 
@@ -660,10 +665,15 @@ class CAInstance(DogtagInstance):
                 args.append("-ext_csr_file")
                 args.append(self.csr_file)
             elif self.external == 2:
+                cert = x509.load_certificate_from_file(self.cert_file)
+                cert_file = tempfile.NamedTemporaryFile()
+                x509.write_certificate(cert.der_data, cert_file.name)
+                cert_file.flush()
+
                 args.append("-external")
                 args.append("true")
                 args.append("-ext_ca_cert_file")
-                args.append(self.cert_file)
+                args.append(cert_file.name)
                 args.append("-ext_ca_cert_chain_file")
                 args.append(self.cert_chain_file)
             else:
author	Jan Cholasta <jcholast@redhat.com>	2014-08-29 13:35:45 +0200
committer	Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com>	2014-09-04 12:13:11 +0200
commit	93346b1cf9ffae5afdd9bb71684f22922dbc8ea4 (patch)
tree	3d106fdc0aa430028a579e516b255f234d4b234e /ipaserver
parent	8aa01e24a1664f5f523732f79ae8d842fb4417a8 (diff)
download	freeipa-93346b1cf9ffae5afdd9bb71684f22922dbc8ea4.tar.gz freeipa-93346b1cf9ffae5afdd9bb71684f22922dbc8ea4.tar.xz freeipa-93346b1cf9ffae5afdd9bb71684f22922dbc8ea4.zip