diff options
-rwxr-xr-x | install/tools/ipa-server-install | 13 | ||||
-rw-r--r-- | install/tools/man/ipa-server-install.1 | 3 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 12 |
3 files changed, 23 insertions, 5 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 533023f2e..e73a098df 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -227,6 +227,10 @@ def parse_options(): cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") + cert_group.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm", + type="choice", + choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), + help="Signing algorithm of the IPA CA certificate") parser.add_option_group(cert_group) dns_group = OptionGroup(parser, "DNS options") @@ -1093,7 +1097,8 @@ def main(): dogtag_constants=dogtag.install_constants) if external == 0: ca.configure_instance(host_name, domain_name, dm_password, - dm_password, subject_base=options.subject) + dm_password, subject_base=options.subject, + ca_signing_algorithm=options.ca_signing_algorithm) elif external == 1: # stage 1 of external CA installation options.realm_name = realm_name @@ -1108,14 +1113,16 @@ def main(): write_cache(vars(options)) ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=options.subject) + subject_base=options.subject, + ca_signing_algorithm=options.ca_signing_algorithm) else: # stage 2 of external CA installation ca.configure_instance(host_name, domain_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, - subject_base=options.subject) + subject_base=options.subject, + ca_signing_algorithm=options.ca_signing_algorithm) # Now put the CA cert where other instances exepct it ca.publish_ca_cert(CACERT) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 8cc2ffa45..ecea26db1 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -123,6 +123,9 @@ PEM file containing the CA certificate of the CA which issued the Directory Serv .TP \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=REALM.NAME) +.TP +\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .SS "DNS OPTIONS" .TP diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b0037dd56..c26046c47 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -369,7 +369,7 @@ class CAInstance(DogtagInstance): pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, master_replication_port=None, - subject_base=None): + subject_base=None, ca_signing_algorithm=None): """Create a CA instance. For Dogtag 9, this may involve creating the pki-ca instance. @@ -395,6 +395,10 @@ class CAInstance(DogtagInstance): self.subject_base = DN(('O', self.realm)) else: self.subject_base = subject_base + if ca_signing_algorithm is None: + self.ca_signing_algorithm = 'SHA256withRSA' + else: + self.ca_signing_algorithm = ca_signing_algorithm # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -517,6 +521,9 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca") config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca") + # CA key algorithm + config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) + if self.clone: cafile = self.pkcs12_info[0] shutil.copy(cafile, paths.TMP_CA_P12) @@ -643,7 +650,8 @@ class CAInstance(DogtagInstance): "-db_name", "ipaca", "-key_size", "2048", "-key_type", "rsa", - "-key_algorithm", "SHA256withRSA", + "-key_algorithm", self.ca_signing_algorithm, + "-signing_algorithm", "SHA256withRSA", "-save_p12", "true", "-backup_pwd", self.admin_password, "-subsystem_name", self.service_name, |