Convert external CA chain to PKCS#7 before passing it to pkispawn.

https://fedorahosted.org/freeipa/ticket/4397

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 4adf1d037..d713d2db4 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
 .SS "CERTIFICATE SYSTEM OPTIONS"
 .TP
 \fB\-\-external\-ca\fR
-Generate a CSR to be signed by an external CA
+Generate a CSR for the IPA CA certificate to be signed by an external CA.
 .TP
 \fB\-\-external_cert_file\fR=\fIFILE\fR
-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
+File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
 .TP
 \fB\-\-external_ca_file\fR=\fIFILE\fR
-PEM file containing the external CA chain
+File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
+
+If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
+
+    openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
 .TP
 \fB\-\-no\-pkinit\fR
 Disables pkinit setup steps