From 359dfe58b94079e1e16f4fb8960eb29b251f2cbc Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 8 Aug 2014 10:15:26 +0200 Subject: Convert external CA chain to PKCS#7 before passing it to pkispawn. https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin --- ipaserver/install/cainstance.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'ipaserver') diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b64588c0f..2a8ecc00c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -590,9 +590,20 @@ class CAInstance(service.Service): config.set("CA", "pki_external_csr_path", self.csr_file) elif self.external == 2: + cert_chain, stderr, rc = ipautil.run( + [paths.OPENSSL, 'crl2pkcs7', + '-certfile', self.cert_chain_file, + '-nocrl']) + # Dogtag chokes on the header and footer, remove them + # https://bugzilla.redhat.com/show_bug.cgi?id=1127838 + cert_chain = re.search( + r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)', + cert_chain, re.DOTALL).group(0) + cert_chain_file = ipautil.write_tmp_file(cert_chain) + config.set("CA", "pki_external", "True") config.set("CA", "pki_external_ca_cert_path", self.cert_file) - config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file) + config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") # Generate configuration file -- cgit