1 files changed, 13 insertions, 1 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 50217086c..2c912206a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -384,7 +384,8 @@ class CAInstance(DogtagInstance):
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
                            master_replication_port=None,
-                           subject_base=None, ca_signing_algorithm=None):
+                           subject_base=None, ca_signing_algorithm=None,
+                           ca_type=None):
         """Create a CA instance.
 
            For Dogtag 9, this may involve creating the pki-ca instance.
@@ -414,6 +415,10 @@ class CAInstance(DogtagInstance):
             self.ca_signing_algorithm = 'SHA256withRSA'
         else:
             self.ca_signing_algorithm = ca_signing_algorithm
+        if ca_type is not None:
+            self.ca_type = ca_type
+        else:
+            self.ca_type = 'generic'
 
         # Determine if we are installing as an externally-signed CA and
         # what stage we're in.
@@ -566,6 +571,13 @@ class CAInstance(DogtagInstance):
             config.set("CA", "pki_external", "True")
             config.set("CA", "pki_external_csr_path", self.csr_file)
 
+            if self.ca_type == 'ms-cs':
+                # Include MS template name extension in the CSR
+                config.set("CA", "pki_req_ext_add", "True")
+                config.set("CA", "pki_req_ext_oid", "1.3.6.1.4.1.311.20.2")
+                config.set("CA", "pki_req_ext_critical", "False")
+                config.set("CA", "pki_req_ext_data", "1E0A00530075006200430041")
+
         elif self.external == 2:
             cert = x509.load_certificate_from_file(self.cert_file)
             cert_file = tempfile.NamedTemporaryFile()