Indicate that ca subject / subject base uses LDAP RDN order

Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.

Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>

3 files changed, 8 insertions, 6 deletions

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 29952a420..42906d440 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -80,12 +80,14 @@ def parse_options():
                       default=None,
                       help=(
                           "The certificate subject base "
-                          "(default O=<realm-name>)"))
+                          "(default O=<realm-name>).  "
+                          "RDNs are in LDAP order (most specific RDN first)."))
     parser.add_option("--ca-subject", dest="ca_subject",
                       default=None,
                       help=(
                           "The CA certificate subject DN "
-                          "(default CN=Certificate Authority,O=<realm-name>)"))
+                          "(default CN=Certificate Authority,O=<realm-name>). "
+                          "RDNs are in LDAP order (most specific RDN first)."))
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index 16e5431b6..76ce11524 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -47,10 +47,10 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
 \fB\-\-ca\-subject\fR=\fISUBJECT\fR
-The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME)
+The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).
 .TP
 \fB\-\-subject\-base\fR=\fISUBJECT\fR
-The subject base for certificates issued by IPA (default O=REALM.NAME)
+The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).
 .TP
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
 Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 9568888ff..8bfbefb0a 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -123,10 +123,10 @@ Name of the Kerberos KDC SSL certificate to install
 File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
 .TP
 \fB\-\-ca\-subject\fR=\fISUBJECT\fR
-The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME)
+The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).
 .TP
 \fB\-\-subject\-base\fR=\fISUBJECT\fR
-The subject base for certificates issued by IPA (default O=REALM.NAME)
+The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).
 .TP
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
 Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.