diff options
| -rwxr-xr-x | install/tools/ipa-server-install | 6 | ||||
| -rw-r--r-- | install/tools/man/ipa-server-install.1 | 10 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 13 |
3 files changed, 22 insertions, 7 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index dc3655b8e..a54725458 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -202,11 +202,11 @@ def parse_options(): cert_group = OptionGroup(parser, "certificate system options") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", - default=False, help="Generate a CSR to be signed by an external CA") + default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA") cert_group.add_option("", "--external_cert_file", dest="external_cert_file", - help="PEM file containing a certificate signed by the external CA") + help="File containing the IPA CA certificate signed by the external CA in PEM format") cert_group.add_option("", "--external_ca_file", dest="external_ca_file", - help="PEM file containing the external CA chain") + help="File containing the external CA certificate chain in PEM format") cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", default=True, help="disables pkinit setup steps") cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 4adf1d037..d713d2db4 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input .SS "CERTIFICATE SYSTEM OPTIONS" .TP \fB\-\-external\-ca\fR -Generate a CSR to be signed by an external CA +Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP \fB\-\-external_cert_file\fR=\fIFILE\fR -PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file. +File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file. .TP \fB\-\-external_ca_file\fR=\fIFILE\fR -PEM file containing the external CA chain +File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file. + +If the CA certificate chain is in PKCS#7 format you can convert it to PEM using: + + openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE .TP \fB\-\-no\-pkinit\fR Disables pkinit setup steps diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b64588c0f..2a8ecc00c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -590,9 +590,20 @@ class CAInstance(service.Service): config.set("CA", "pki_external_csr_path", self.csr_file) elif self.external == 2: + cert_chain, stderr, rc = ipautil.run( + [paths.OPENSSL, 'crl2pkcs7', + '-certfile', self.cert_chain_file, + '-nocrl']) + # Dogtag chokes on the header and footer, remove them + # https://bugzilla.redhat.com/show_bug.cgi?id=1127838 + cert_chain = re.search( + r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)', + cert_chain, re.DOTALL).group(0) + cert_chain_file = ipautil.write_tmp_file(cert_chain) + config.set("CA", "pki_external", "True") config.set("CA", "pki_external_ca_cert_path", self.cert_file) - config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file) + config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") # Generate configuration file |