2 files changed, 72 insertions, 2 deletions

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 6da08c587..b8505dd9b 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -19,6 +19,7 @@
 #
 
 from __future__ import absolute_import
+import binascii
 import json
 import re
 
@@ -97,6 +98,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         try:
             if external and step_one:  # external CA step 1 only
 
+                subject_dn = subsystem.config['preop.cert.signing.dn']
+
                 # Determine CA signing key type and algorithm
 
                 key_type = deployer.mdict['pki_ca_signing_key_type']
@@ -149,15 +152,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                         'critical': True
                     }
 
+                    # if specified, add generic CSR extension
+                    generic_exts = None
+
+                    if 'preop.cert.signing.ext.oid' in subsystem.config and \
+                       'preop.cert.signing.ext.data' in subsystem.config:
+
+                        data = subsystem.config['preop.cert.signing.ext.data']
+                        critical = subsystem.config['preop.cert.signing.ext.critical']
+
+                        generic_ext = {
+                            'oid': subsystem.config['preop.cert.signing.ext.oid'],
+                            'data': binascii.unhexlify(data),
+                            'critical': config.str2bool(critical)
+                        }
+
+                        generic_exts = [generic_ext]
+
                     nssdb.create_request(
-                        subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
+                        subject_dn=subject_dn,
                         request_file=external_csr_path,
                         key_type=key_type,
                         key_size=key_size,
                         curve=curve,
                         hash_alg=hash_alg,
                         basic_constraints_ext=basic_constraints_ext,
-                        key_usage_ext=key_usage_ext)
+                        key_usage_ext=key_usage_ext,
+                        generic_exts=generic_exts)
 
                     with open(external_csr_path) as f:
                         signing_csr = f.read()
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index c3ae89090..18fc3e1ef 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -43,6 +43,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
                             extra=config.PKI_INDENTATION_LEVEL_1)
 
+        instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
+        instance.load()
+
+        subsystem = instance.get_subsystem(
+            deployer.mdict['pki_subsystem'].lower())
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.password.create_hsm_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
@@ -158,6 +164,49 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # Always delete the temporary 'pfile'
         deployer.file.delete(deployer.mdict['pki_shared_pfile'])
 
+        # Store system cert parameters in installation step to guarantee the
+        # parameters exist during configuration step and to allow customization.
+
+        certs = subsystem.find_system_certs()
+        for cert in certs:
+
+            # get CS.cfg tag and pkispawn tag
+            config_tag = cert['id']
+            deploy_tag = config_tag
+
+            if config_tag == 'signing':  # for CA and OCSP
+                deploy_tag = subsystem.name + '_signing'
+
+            elif config_tag == 'sslserver':
+                deploy_tag = 'ssl_server'
+
+            # store nickname
+            nickname = deployer.mdict['pki_%s_nickname' % deploy_tag]
+            subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname
+
+            # store subject DN
+            subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag]
+            subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn
+
+            # TODO: move more system cert params here
+
+        # If specified in the deployment parameter, add generic CA signing cert
+        # extension parameters into the CS.cfg. Generic extension for other
+        # system certs can be added directly into CS.cfg after before the
+        # configuration step.
+
+        if subsystem.type == 'CA':
+            if deployer.configuration_file.add_req_ext:
+
+                subsystem.config['preop.cert.signing.ext.oid'] = \
+                    deployer.configuration_file.req_ext_oid
+                subsystem.config['preop.cert.signing.ext.data'] = \
+                    deployer.configuration_file.req_ext_data
+                subsystem.config['preop.cert.signing.ext.critical'] = \
+                    deployer.configuration_file.req_ext_critical.lower()
+
+        subsystem.save()
+
     def update_external_certs_conf(self, external_path, deployer):
         external_certs = pki.server.PKIInstance.read_external_certs(
             external_path)