On 04/15/2013 11:50 AM, Ana Krivokapic wrote:
On 04/15/2013 10:20 AM, Petr Viktorin wrote:
Hello,
this fixes incorrect descriptions of the --external_cert_file &
--external_ca_file options.


https://fedorahosted.org/freeipa/ticket/3523



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

There are also 3 error messages in install/tools/ipa-server-install,
that refer to
PKCS#10 certificates. Do we also need to fix these?

[akrivoka@server freeipa]$ git grep 'PKCS#10'
install/tools/ipa-server-install
install/tools/ipa-server-install:            print "Can't load the
PKCS#10 certificate: %s." % str(e)
install/tools/ipa-server-install:            print "Subject of the
PKCS#10 certificate is not correct (got %s, expected %s)." %
(certsubject, wantsubject)
install/tools/ipa-server-install:            print "The PKCS#10
certificate is not signed by the external CA (unknown issuer %s)." %
certissuer

Good catch, thanks. I've changed those as well.

--
PetrĀ³
From 120ff5b7fa179f58747e1b63897372ea0b8c184a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 20 Mar 2013 14:44:22 +0100
Subject: [PATCH] ipa-server-install: correct help text for
 --external_{cert,ca}_file

The options take PEM certificates, not PKCS#10.
This corrects both the --help output and the man page.

https://fedorahosted.org/freeipa/ticket/3523
---
 install/tools/ipa-server-install       | 10 +++++-----
 install/tools/man/ipa-server-install.1 |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index da3caa08d2b00fe3a750ef53573d7d2275635327..d400dbabf4dc1ced0c17277a4e93d55197092c7c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -169,9 +169,9 @@ def parse_options():
     cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
                       default=False, help="Generate a CSR to be signed by an external CA")
     cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
-                      help="File containing PKCS#10 certificate")
+                      help="PEM file containing a certificate signed by the external CA")
     cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
-                      help="File containing PKCS#10 of the external CA chain")
+                      help="PEM file containing the external CA chain")
     cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
                       default=True, help="disables pkinit setup steps")
     cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
@@ -670,16 +670,16 @@ def main():
         try:
             extcert = load_certificate_from_file(options.external_cert_file)
         except IOError, e:
-            print "Can't load the PKCS#10 certificate: %s." % str(e)
+            print "Can't load the PEM certificate: %s." % str(e)
             sys.exit(1)
         except nss.error.NSPRError:
             print "'%s' is not a valid PEM-encoded certificate." % options.external_cert_file
             sys.exit(1)
 
         certsubject = DN(str(extcert.subject))
         wantsubject = DN(('CN','Certificate Authority'), options.subject)
         if certsubject != wantsubject:
-            print "Subject of the PKCS#10 certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject)
+            print "Subject of the external certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject)
             sys.exit(1)
 
         try:
@@ -694,7 +694,7 @@ def main():
         certdict = dict((DN(str(cert.subject)), cert) for cert in extchain)
         certissuer = DN(str(extcert.issuer))
         if certissuer not in certdict:
-            print "The PKCS#10 certificate is not signed by the external CA (unknown issuer %s)." % certissuer
+            print "The external certificate is not signed by the external CA (unknown issuer %s)." % certissuer
             sys.exit(1)
 
         cert = extcert
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 6959a314785e5020ed1d7701873baf3c2260c2df..59219c14727c5a3062d06d5ef02eb0eebdc9c4f2 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -88,10 +88,10 @@ An unattended installation that will never prompt for user input
 Generate a CSR to be signed by an external CA
 .TP
 \fB\-\-external_cert_file\fR=\fIFILE\fR
-File containing PKCS#10 certificate
+PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
 .TP
 \fB\-\-external_ca_file\fR=\fIFILE\fR
-File containing PKCS#10 of the external CA chain
+PEM file containing the external CA chain
 .TP
 \fB\-\-no\-pkinit\fR
 Disables pkinit setup steps
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to