Lightweight CAs: enrol cert via profile subsystem

Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.

This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.

Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632

1 files changed, 3 insertions, 0 deletions

diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
index 96bc39229..376654e98 100644
--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
@@ -34,6 +34,7 @@ import netscape.security.x509.X509CertInfo;
 
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 
+import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
@@ -562,6 +563,7 @@ public interface ICertificateAuthority extends ISubsystem {
      * Create a new sub-CA under the specified parent CA.
      */
     public ICertificateAuthority createCA(
+            IAuthToken authToken,
             String dn, AuthorityID parentAID, String desc)
         throws EBaseException;
 
@@ -572,6 +574,7 @@ public interface ICertificateAuthority extends ISubsystem {
      * caller's responsibility.
      */
     public ICertificateAuthority createSubCA(
+            IAuthToken authToken,
             String dn, String desc)
         throws EBaseException;