Fixed missing CSR extensions for external CA case.

The deployment tool has been modified to generate CSR with basic constraints and key usage extensions for the externally-signed CA signing certificate. https://fedorahosted.org/pki/ticket/2312
author: Endi S. Dewata <edewata@redhat.com> 2016-05-11 19:33:51 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-05-12 17:32:55 +0200
commit: b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b (patch)
tree: c26d8b8c10057c4361e155dca2441a6ea6b8d882 /base/server/python
parent: d39e24e48c74e31e2232768040b264d372e1fe76 (diff)
download: pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.tar.gz
pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.tar.xz
pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.zip
1 files changed, 22 insertions, 1 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 373b58ef4..6da08c587 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -98,6 +98,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             if external and step_one:  # external CA step 1 only
 
                 # Determine CA signing key type and algorithm
+
                 key_type = deployer.mdict['pki_ca_signing_key_type']
                 key_alg = deployer.mdict['pki_ca_signing_key_algorithm']
 
@@ -125,19 +126,38 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
                 # If filename specified, generate CA cert request and
                 # import it into CS.cfg.
+
                 external_csr_path = deployer.mdict['pki_external_csr_path']
                 if external_csr_path:
+
                     config.pki_log.info(
                         "generating CA signing certificate request in %s",
                         external_csr_path,
                         extra=config.PKI_INDENTATION_LEVEL_2)
+
+                    basic_constraints_ext = {
+                        'ca': True,
+                        'path_length': None,
+                        'critical': True
+                    }
+
+                    key_usage_ext = {
+                        'digitalSignature': True,
+                        'nonRepudiation': True,
+                        'certSigning': True,
+                        'crlSigning': True,
+                        'critical': True
+                    }
+
                     nssdb.create_request(
                         subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
                         request_file=external_csr_path,
                         key_type=key_type,
                         key_size=key_size,
                         curve=curve,
-                        hash_alg=hash_alg)
+                        hash_alg=hash_alg,
+                        basic_constraints_ext=basic_constraints_ext,
+                        key_usage_ext=key_usage_ext)
 
                     with open(external_csr_path) as f:
                         signing_csr = f.read()
@@ -148,6 +168,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
                 # This is needed by IPA to detect step 1 completion.
                 # See is_step_one_done() in ipaserver/install/cainstance.py.
+
                 subsystem.config['preop.ca.type'] = 'otherca'
 
                 subsystem.save()
author	Endi S. Dewata <edewata@redhat.com>	2016-05-11 19:33:51 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-05-12 17:32:55 +0200
commit	b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b (patch)
tree	c26d8b8c10057c4361e155dca2441a6ea6b8d882 /base/server/python
parent	d39e24e48c74e31e2232768040b264d372e1fe76 (diff)
download	pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.tar.gz pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.tar.xz pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.zip