diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-10-08 10:51:31 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-13 12:18:09 +0200 |
commit | 4cdeacdedfe344e570da99548043a07a6fa24dbe (patch) | |
tree | 3e1316b61f7da81a9241c25fcbfa0a5ace37a4f8 | |
parent | 9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 (diff) | |
download | freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.gz freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.tar.xz freeipa-4cdeacdedfe344e570da99548043a07a6fa24dbe.zip |
Support MS CS as the external CA in ipa-server-install and ipa-ca-install
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | freeipa.spec.in | 2 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 10 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 10 | ||||
-rw-r--r-- | install/tools/man/ipa-ca-install.1 | 6 | ||||
-rw-r--r-- | install/tools/man/ipa-server-install.1 | 3 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 14 |
6 files changed, 41 insertions, 4 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 30ffb89c2..008494d8b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -127,7 +127,7 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54-1 -Requires: pki-ca >= 10.2.0 +Requires: pki-ca >= 10.2.0-3 Requires: pki-kra >= 10.2.0 %if 0%{?rhel} Requires: subscription-manager diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index bd30b27ae..a5c3ad9a6 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -66,6 +66,9 @@ def parse_options(): default=False, help="unattended installation never prompts the user") parser.add_option("--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR to be signed by an external CA") + parser.add_option("--external-ca-type", dest="external_ca_type", + type="choice", choices=("generic", "ms-cs"), + help="Type of the external CA") parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") @@ -87,6 +90,10 @@ def parse_options(): parser.error("You cannot specify --external-cert-file " "together with --external-ca") + if options.external_ca_type and not options.external_ca: + parser.error( + "You cannot specify --external-ca-type without --external-ca") + return safe_options, options, filename @@ -306,7 +313,8 @@ def install_master(safe_options, options): elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=subject_base) + subject_base=subject_base, + ca_type=options.external_ca_type) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index ffff20a27..39c13547c 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -204,6 +204,9 @@ def parse_options(): cert_group = OptionGroup(parser, "certificate system options") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA") + cert_group.add_option("--external-ca-type", dest="external_ca_type", + type="choice", choices=("generic", "ms-cs"), + help="Type of the external CA") cert_group.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") @@ -375,6 +378,10 @@ def parse_options(): parser.error("You cannot specify service certificate file options " "together with --external-ca") + if options.external_ca_type and not options.external_ca: + parser.error( + "You cannot specify --external-ca-type without --external-ca") + if (options.external_cert_files and any(not os.path.isabs(path) for path in options.external_cert_files)): parser.error("--external-cert-file must use an absolute path") @@ -1164,7 +1171,8 @@ def main(): ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, subject_base=options.subject, - ca_signing_algorithm=options.ca_signing_algorithm) + ca_signing_algorithm=options.ca_signing_algorithm, + ca_type=options.external_ca_type) else: # stage 2 of external CA installation ca.configure_instance(host_name, domain_name, dm_password, diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 8f7201c20..ba31a289c 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -37,6 +37,12 @@ Directory Manager (existing master) password \fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR Admin user Kerberos password used for connection check .TP +\fB\-\-external\-ca\fR +Generate a CSR for the IPA CA certificate to be signed by an external CA. +.TP +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 582108e6f..e5c9c319b 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -87,6 +87,9 @@ An unattended installation that will never prompt for user input \fB\-\-external\-ca\fR Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 50217086c..2c912206a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -384,7 +384,8 @@ class CAInstance(DogtagInstance): pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, master_replication_port=None, - subject_base=None, ca_signing_algorithm=None): + subject_base=None, ca_signing_algorithm=None, + ca_type=None): """Create a CA instance. For Dogtag 9, this may involve creating the pki-ca instance. @@ -414,6 +415,10 @@ class CAInstance(DogtagInstance): self.ca_signing_algorithm = 'SHA256withRSA' else: self.ca_signing_algorithm = ca_signing_algorithm + if ca_type is not None: + self.ca_type = ca_type + else: + self.ca_type = 'generic' # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -566,6 +571,13 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_external", "True") config.set("CA", "pki_external_csr_path", self.csr_file) + if self.ca_type == 'ms-cs': + # Include MS template name extension in the CSR + config.set("CA", "pki_req_ext_add", "True") + config.set("CA", "pki_req_ext_oid", "1.3.6.1.4.1.311.20.2") + config.set("CA", "pki_req_ext_critical", "False") + config.set("CA", "pki_req_ext_data", "1E0A00530075006200430041") + elif self.external == 2: cert = x509.load_certificate_from_file(self.cert_file) cert_file = tempfile.NamedTemporaryFile() |