Convert external CA chain to PKCS#7 before passing it to pkispawn.

https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-08-08 10:15:26 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-08-14 10:06:27 +0200
commit: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc (patch)
tree: 569c616911574f8a9566c197a80ca064aab87033 /install/tools
parent: 4b5a4882497ce7c3ecdf8f898fc695b2309df1b5 (diff)
2 files changed, 10 insertions, 6 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index dc3655b8e..a54725458 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -202,11 +202,11 @@ def parse_options():
 
     cert_group = OptionGroup(parser, "certificate system options")
     cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
-                      default=False, help="Generate a CSR to be signed by an external CA")
+                      default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
     cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
-                      help="PEM file containing a certificate signed by the external CA")
+                      help="File containing the IPA CA certificate signed by the external CA in PEM format")
     cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
-                      help="PEM file containing the external CA chain")
+                      help="File containing the external CA certificate chain in PEM format")
     cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
                       default=True, help="disables pkinit setup steps")
     cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 4adf1d037..d713d2db4 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
 .SS "CERTIFICATE SYSTEM OPTIONS"
 .TP
 \fB\-\-external\-ca\fR
-Generate a CSR to be signed by an external CA
+Generate a CSR for the IPA CA certificate to be signed by an external CA.
 .TP
 \fB\-\-external_cert_file\fR=\fIFILE\fR
-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
+File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
 .TP
 \fB\-\-external_ca_file\fR=\fIFILE\fR
-PEM file containing the external CA chain
+File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
+
+If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
+
+    openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
 .TP
 \fB\-\-no\-pkinit\fR
 Disables pkinit setup steps
author	Jan Cholasta <jcholast@redhat.com>	2014-08-08 10:15:26 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-08-14 10:06:27 +0200
commit	359dfe58b94079e1e16f4fb8960eb29b251f2cbc (patch)
tree	569c616911574f8a9566c197a80ca064aab87033 /install/tools
parent	4b5a4882497ce7c3ecdf8f898fc695b2309df1b5 (diff)