diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-10-08 10:51:31 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-13 12:18:09 +0200 |
commit | 4cdeacdedfe344e570da99548043a07a6fa24dbe (patch) | |
tree | 3e1316b61f7da81a9241c25fcbfa0a5ace37a4f8 /ipaserver | |
parent | 9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 (diff) | |
download | freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.gz freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.xz freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.zip |
Support MS CS as the external CA in ipa-server-install and ipa-ca-install
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 50217086c..2c912206a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -384,7 +384,8 @@ class CAInstance(DogtagInstance): pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, master_replication_port=None, - subject_base=None, ca_signing_algorithm=None): + subject_base=None, ca_signing_algorithm=None, + ca_type=None): """Create a CA instance. For Dogtag 9, this may involve creating the pki-ca instance. @@ -414,6 +415,10 @@ class CAInstance(DogtagInstance): self.ca_signing_algorithm = 'SHA256withRSA' else: self.ca_signing_algorithm = ca_signing_algorithm + if ca_type is not None: + self.ca_type = ca_type + else: + self.ca_type = 'generic' # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -566,6 +571,13 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_external", "True") config.set("CA", "pki_external_csr_path", self.csr_file) + if self.ca_type == 'ms-cs': + # Include MS template name extension in the CSR + config.set("CA", "pki_req_ext_add", "True") + config.set("CA", "pki_req_ext_oid", "1.3.6.1.4.1.311.20.2") + config.set("CA", "pki_req_ext_critical", "False") + config.set("CA", "pki_req_ext_data", "1E0A00530075006200430041") + elif self.external == 2: cert = x509.load_certificate_from_file(self.cert_file) cert_file = tempfile.NamedTemporaryFile() |