Lightweight CAs: enrol cert via profile subsystem

Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.

This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.

Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632

1 files changed, 5 insertions, 0 deletions

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index b77788378..85203cb03 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.ca.IssuerUnavailableException;
+import com.netscape.cms.realm.PKIPrincipal;
 import com.netscape.cms.servlet.base.PKIService;
 import com.netscape.cmsutil.util.Utils;
 
@@ -179,8 +180,12 @@ public class AuthorityService extends PKIService implements AuthorityResource {
             throw new BadRequestException("Bad Authority ID: " + parentAIDString);
         }
 
+        PKIPrincipal principal =
+            (PKIPrincipal) servletRequest.getUserPrincipal();
+
         try {
             ICertificateAuthority subCA = hostCA.createCA(
+                principal.getAuthToken(),
                 data.getDN(), parentAID, data.getDescription());
             return createOKResponse(readAuthorityData(subCA));
         } catch (IllegalArgumentException e) {