summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-09-24 16:48:15 +0200
committerMartin Kosek <mkosek@redhat.com>2014-09-30 08:50:47 +0200
commit3cde7e9cfd7908b24082e3e50cdd0955726223d0 (patch)
tree235ef572fd448a2246b5a9ede1787f5250e6ffb9 /install
parent88083887c994ab505d6e07151e5dd26b56bb7732 (diff)
downloadfreeipa-3cde7e9cfd7908b24082e3e50cdd0955726223d0.tar.gz
freeipa-3cde7e9cfd7908b24082e3e50cdd0955726223d0.tar.xz
freeipa-3cde7e9cfd7908b24082e3e50cdd0955726223d0.zip
Allow choosing CA-less server certificates by name
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare and --cert-name option to ipa-server-certinstall. The options allows choosing a particular certificate and private key from PKCS#12 files by its friendly name. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install')
-rwxr-xr-xinstall/tools/ipa-server-install15
-rw-r--r--install/tools/man/ipa-replica-prepare.19
-rw-r--r--install/tools/man/ipa-server-certinstall.13
-rw-r--r--install/tools/man/ipa-server-install.19
4 files changed, 33 insertions, 3 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 636ba7496..89d73304f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -248,6 +248,15 @@ def parse_options():
help="The password to unlock the Kerberos KDC private key")
cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
help=SUPPRESS_HELP)
+ cert_group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
+ metavar="NAME",
+ help="Name of the Directory Server SSL certificate to install")
+ cert_group.add_option("--http-cert-name", dest="http_cert_name",
+ metavar="NAME",
+ help="Name of the Apache Server SSL certificate to install")
+ cert_group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
+ metavar="NAME",
+ help="Name of the Kerberos KDC SSL certificate to install")
cert_group.add_option("--ca-cert-file", dest="ca_cert_files",
action="append", metavar="FILE",
help="File containing CA certificates for the service certificate files")
@@ -943,7 +952,7 @@ def main():
http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
cert_files=options.http_cert_files,
key_password=options.http_pin,
- key_nickname=None,
+ key_nickname=options.http_cert_name,
ca_cert_files=options.ca_cert_files,
host_name=host_name)
http_pkcs12_info = (http_pkcs12_file.name, http_pin)
@@ -959,7 +968,7 @@ def main():
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
cert_files=options.dirsrv_cert_files,
key_password=options.dirsrv_pin,
- key_nickname=None,
+ key_nickname=options.dirsrv_cert_name,
ca_cert_files=options.ca_cert_files,
host_name=host_name)
dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
@@ -975,7 +984,7 @@ def main():
pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
cert_files=options.pkinit_cert_files,
key_password=options.pkinit_pin,
- key_nickname=None,
+ key_nickname=options.pkinit_cert_name,
ca_cert_files=options.ca_cert_files,
host_name=host_name)
pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)
diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
index fc8bf8332..a0d47c9ad 100644
--- a/install/tools/man/ipa-replica-prepare.1
+++ b/install/tools/man/ipa-replica-prepare.1
@@ -53,6 +53,15 @@ The password to unlock the Apache Server private key
\fB\-\-pkinit\-pin\fR=\fIPIN\fR
The password to unlock the Kerberos KDC private key
.TP
+\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
+Name of the Directory Server SSL certificate to install
+.TP
+\fB\-\-http\-cert\-name\fR=\fINAME\fR
+Name of the Apache Server SSL certificate to install
+.TP
+\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
+Name of the Kerberos KDC SSL certificate to install
+.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
index a5cb4bb7f..d23bbd490 100644
--- a/install/tools/man/ipa-server-certinstall.1
+++ b/install/tools/man/ipa-server-certinstall.1
@@ -40,6 +40,9 @@ Install the certificate in the Apache Web Server
\fB\-\-pin\fR=\fIPIN\fR
The password to unlock the private key
.TP
+\fB\-\-cert\-name\fR=\fINAME\fR
+Name of the certificate to install
+.TP
\fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
Directory Manager password
.SH "EXIT STATUS"
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 0bd59687d..582108e6f 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -111,6 +111,15 @@ The password to unlock the Apache Server private key
\fB\-\-pkinit\-pin\fR=\fIPIN\fR
The password to unlock the Kerberos KDC private key
.TP
+\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
+Name of the Directory Server SSL certificate to install
+.TP
+\fB\-\-http\-cert\-name\fR=\fINAME\fR
+Name of the Apache Server SSL certificate to install
+.TP
+\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
+Name of the Kerberos KDC SSL certificate to install
+.TP
\fB\-\-ca\-cert\-file\fR=\fIFILE\fR
File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
.TP