3 files changed, 23 insertions, 5 deletions

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 533023f2e..e73a098df 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -227,6 +227,10 @@ def parse_options():
     cert_group.add_option("--subject", action="callback", callback=subject_callback,
                       type="string",
                       help="The certificate subject base (default O=<realm-name>)")
+    cert_group.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
+                      type="choice",
+                      choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+                      help="Signing algorithm of the IPA CA certificate")
     parser.add_option_group(cert_group)
 
     dns_group = OptionGroup(parser, "DNS options")
@@ -1093,7 +1097,8 @@ def main():
             dogtag_constants=dogtag.install_constants)
         if external == 0:
             ca.configure_instance(host_name, domain_name, dm_password,
-                                  dm_password, subject_base=options.subject)
+                                  dm_password, subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
         elif external == 1:
             # stage 1 of external CA installation
             options.realm_name = realm_name
@@ -1108,14 +1113,16 @@ def main():
             write_cache(vars(options))
             ca.configure_instance(host_name, domain_name, dm_password,
                                   dm_password, csr_file=paths.ROOT_IPA_CSR,
-                                  subject_base=options.subject)
+                                  subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
         else:
             # stage 2 of external CA installation
             ca.configure_instance(host_name, domain_name, dm_password,
                                   dm_password,
                                   cert_file=options.external_cert_file,
                                   cert_chain_file=options.external_ca_file,
-                                  subject_base=options.subject)
+                                  subject_base=options.subject,
+                                  ca_signing_algorithm=options.ca_signing_algorithm)
 
         # Now put the CA cert where other instances exepct it
         ca.publish_ca_cert(CACERT)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 8cc2ffa45..ecea26db1 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -123,6 +123,9 @@ PEM file containing the CA certificate of the CA which issued the Directory Serv
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
 The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
 
 .SS "DNS OPTIONS"
 .TP
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b0037dd56..c26046c47 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -369,7 +369,7 @@ class CAInstance(DogtagInstance):
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
                            master_replication_port=None,
-                           subject_base=None):
+                           subject_base=None, ca_signing_algorithm=None):
         """Create a CA instance.
 
            For Dogtag 9, this may involve creating the pki-ca instance.
@@ -395,6 +395,10 @@ class CAInstance(DogtagInstance):
             self.subject_base = DN(('O', self.realm))
         else:
             self.subject_base = subject_base
+        if ca_signing_algorithm is None:
+            self.ca_signing_algorithm = 'SHA256withRSA'
+        else:
+            self.ca_signing_algorithm = ca_signing_algorithm
 
         # Determine if we are installing as an externally-signed CA and
         # what stage we're in.
@@ -517,6 +521,9 @@ class CAInstance(DogtagInstance):
         config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
         config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
 
+        # CA key algorithm
+        config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
+
         if self.clone:
             cafile = self.pkcs12_info[0]
             shutil.copy(cafile, paths.TMP_CA_P12)
@@ -643,7 +650,8 @@ class CAInstance(DogtagInstance):
                     "-db_name", "ipaca",
                     "-key_size", "2048",
                     "-key_type", "rsa",
-                    "-key_algorithm", "SHA256withRSA",
+                    "-key_algorithm", self.ca_signing_algorithm,
+                    "-signing_algorithm", "SHA256withRSA",
                     "-save_p12", "true",
                     "-backup_pwd", self.admin_password,
                     "-subsystem_name", self.service_name,