diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-11-16 20:49:36 +1000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-01-11 15:26:20 +0100 |
| commit | 3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6 (patch) | |
| tree | 7aa59616dbb3b5a420d8e4509bb108ae314794c5 /install/tools | |
| parent | 09a65df6842411d42966111e50924df3de0b7031 (diff) | |
| download | freeipa-3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6.tar.gz freeipa-3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6.tar.xz freeipa-3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6.zip | |
Allow full customisability of IPA CA subject DN
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/tools')
| -rwxr-xr-x | install/tools/ipa-ca-install | 18 | ||||
| -rw-r--r-- | install/tools/man/ipa-ca-install.1 | 6 | ||||
| -rw-r--r-- | install/tools/man/ipa-server-install.1 | 3 |
3 files changed, 26 insertions, 1 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 3451a8e0a..29952a420 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -81,6 +81,11 @@ def parse_options(): help=( "The certificate subject base " "(default O=<realm-name>)")) + parser.add_option("--ca-subject", dest="ca_subject", + default=None, + help=( + "The CA certificate subject DN " + "(default CN=Certificate Authority,O=<realm-name>)")) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -177,7 +182,6 @@ def install_replica(safe_options, options, filename): options.domain_name = config.domain_name options.dm_password = config.dirman_password options.host_name = config.host_name - options.subject_base = config.subject_base if os.path.exists(cafile): options.ca_cert_file = cafile else: @@ -206,6 +210,18 @@ def install_master(safe_options, options): if not options.subject_base: options.subject_base = installutils.default_subject_base(api.env.realm) + if not options.ca_subject: + options.ca_subject = installutils.default_ca_subject_dn( + options.subject_base) + + try: + ca.subject_validator(ca.VALID_SUBJECT_BASE_ATTRS, options.subject_base) + except ValueError as e: + sys.exit("Subject base: {}".format(e.message)) + try: + ca.subject_validator(ca.VALID_SUBJECT_ATTRS, options.ca_subject) + except ValueError as e: + sys.exit("CA subject: {}".format(e.message)) ca.install_check(True, None, options) ca.install(True, None, options) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index aa186987a..16e5431b6 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -46,6 +46,12 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP +\fB\-\-ca\-subject\fR=\fISUBJECT\fR +The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME) +.TP +\fB\-\-subject\-base\fR=\fISUBJECT\fR +The subject base for certificates issued by IPA (default O=REALM.NAME) +.TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. .TP diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 07f772ad4..9568888ff 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -122,6 +122,9 @@ Name of the Kerberos KDC SSL certificate to install \fB\-\-ca\-cert\-file\fR=\fIFILE\fR File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files. .TP +\fB\-\-ca\-subject\fR=\fISUBJECT\fR +The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME) +.TP \fB\-\-subject\-base\fR=\fISUBJECT\fR The subject base for certificates issued by IPA (default O=REALM.NAME) .TP |