From 93346b1cf9ffae5afdd9bb71684f22922dbc8ea4 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 29 Aug 2014 13:35:45 +0200 Subject: Normalize external CA cert before passing it to pkispawn https://fedorahosted.org/freeipa/ticket/4019 Reviewed-By: Petr Viktorin --- ipaserver/install/cainstance.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e8bb7d701..36a1db060 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -534,6 +534,11 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_external_csr_path", self.csr_file) elif self.external == 2: + cert = x509.load_certificate_from_file(self.cert_file) + cert_file = tempfile.NamedTemporaryFile() + x509.write_certificate(cert.der_data, cert_file.name) + cert_file.flush() + cert_chain, stderr, rc = ipautil.run( [paths.OPENSSL, 'crl2pkcs7', '-certfile', self.cert_chain_file, @@ -546,7 +551,7 @@ class CAInstance(DogtagInstance): cert_chain_file = ipautil.write_tmp_file(cert_chain) config.set("CA", "pki_external", "True") - config.set("CA", "pki_external_ca_cert_path", self.cert_file) + config.set("CA", "pki_external_ca_cert_path", cert_file.name) config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") @@ -660,10 +665,15 @@ class CAInstance(DogtagInstance): args.append("-ext_csr_file") args.append(self.csr_file) elif self.external == 2: + cert = x509.load_certificate_from_file(self.cert_file) + cert_file = tempfile.NamedTemporaryFile() + x509.write_certificate(cert.der_data, cert_file.name) + cert_file.flush() + args.append("-external") args.append("true") args.append("-ext_ca_cert_file") - args.append(self.cert_file) + args.append(cert_file.name) args.append("-ext_ca_cert_chain_file") args.append(self.cert_chain_file) else: -- cgit