Added mechanism to import existing CA certificate.

The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.

https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)

1 files changed, 7 insertions, 3 deletions

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index ddd2d8367..1c1ae92b3 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -22,6 +22,7 @@ sensitive_parameters=
     pki_client_pkcs12_password
     pki_clone_pkcs12_password
     pki_ds_password
+    pki_external_pkcs12_password
     pki_one_time_pin
     pki_pin
     pki_replication_password
@@ -365,10 +366,13 @@ pki_req_ext_add=False
 pki_req_ext_oid=1.3.6.1.4.1.311.20.2
 pki_req_ext_critical=False
 pki_req_ext_data=1E0A00530075006200430041
-pki_external_csr_path=%(pki_instance_configuration_path)s/ca_signing.csr
+pki_external_csr_path=
 pki_external_step_two=False
-pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
-pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+pki_external_ca_cert_chain_path=
+pki_external_ca_cert_chain_nickname=caSigningCert External CA
+pki_external_ca_cert_path=
+pki_external_pkcs12_path=
+pki_external_pkcs12_password=
 pki_import_admin_cert=False
 pki_ocsp_signing_key_algorithm=SHA256withRSA
 pki_ocsp_signing_key_size=2048