2 files changed, 12 insertions, 2 deletions

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index a5c3ad9a6..0ea8cf24d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -72,6 +72,10 @@ def parse_options():
     parser.add_option("--external-cert-file", dest="external_cert_files",
                       action="append", metavar="FILE",
                       help="File containing the IPA CA certificate and the external CA certificate chain")
+    parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
+                      type="choice",
+                      choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+                      help="Signing algorithm of the IPA CA certificate")
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -309,18 +313,21 @@ def install_master(safe_options, options):
     ca.create_ra_agent_db = False
     if external == 0:
         ca.configure_instance(host_name, domain_name, dm_password,
-                              dm_password, subject_base=subject_base)
+                              dm_password, subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm)
     elif external == 1:
         ca.configure_instance(host_name, domain_name, dm_password,
                               dm_password, csr_file=paths.ROOT_IPA_CSR,
                               subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm,
                               ca_type=options.external_ca_type)
     else:
         ca.configure_instance(host_name, domain_name, dm_password,
                               dm_password,
                               cert_file=external_cert_file.name,
                               cert_chain_file=external_ca_file.name,
-                              subject_base=subject_base)
+                              subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm)
 
     ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
 
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index ba31a289c..aa186987a 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -46,6 +46,9 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+.TP
 \fB\-\-no\-host\-dns\fR
 Do not use DNS for hostname lookup during installation
 .TP