Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4496>.
Note that this requires pki-core 10.2.0-3. Honza -- Jan Cholasta
>From acb1995aa55fbe46adcf1a995b29f3a4d3280de5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 8 Oct 2014 10:51:31 +0200 Subject: [PATCH] Support MS CA as the external CA in ipa-server-install and ipa-ca-install Added a new option --external-ca-type which specifies the type of the external CA. It can be either "generic" (the default) or "ms". If "ms" is selected, the CSR generated for the IPA CA will include MS template name extension with template name "SubCA". https://fedorahosted.org/freeipa/ticket/4496 --- freeipa.spec.in | 2 +- install/tools/ipa-ca-install | 10 +++++++++- install/tools/ipa-server-install | 10 +++++++++- install/tools/man/ipa-ca-install.1 | 6 ++++++ install/tools/man/ipa-server-install.1 | 3 +++ ipaserver/install/cainstance.py | 14 +++++++++++++- 6 files changed, 41 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 99cd6df..6fe8704 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -113,7 +113,7 @@ Requires(post): systemd-units Requires: selinux-policy >= 3.12.1-179 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.47.7 -Requires: pki-ca >= 10.1.1 +Requires: pki-ca >= 10.2.0-3 %if 0%{?rhel} Requires: subscription-manager %endif diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index df8e34b..8e6e41b 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -68,6 +68,9 @@ def parse_options(): default=False, help="unattended installation never prompts the user") parser.add_option("--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR to be signed by an external CA") + parser.add_option("--external-ca-type", dest="external_ca_type", + type="choice", choices=("generic", "ms"), + help="Type of the external CA") parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") @@ -89,6 +92,10 @@ def parse_options(): parser.error("You cannot specify --external-cert-file " "together with --external-ca") + if options.external_ca_type and not options.external_ca: + parser.error( + "You cannot specify --external-ca-type without --external-ca") + return safe_options, options, filename def get_dirman_password(): @@ -317,7 +324,8 @@ def install_master(safe_options, options): elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=subject_base) + subject_base=subject_base, + ca_type=options.external_ca_type) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index b827dfe..e974194 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -203,6 +203,9 @@ def parse_options(): cert_group = OptionGroup(parser, "certificate system options") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA") + cert_group.add_option("--external-ca-type", dest="external_ca_type", + type="choice", choices=("generic", "ms"), + help="Type of the external CA") cert_group.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") @@ -374,6 +377,10 @@ def parse_options(): parser.error("You cannot specify service certificate file options " "together with --external-ca") + if options.external_ca_type and not options.external_ca: + parser.error( + "You cannot specify --external-ca-type without --external-ca") + if (options.external_cert_files and any(not os.path.isabs(path) for path in options.external_cert_files)): parser.error("--external-cert-file must use an absolute path") @@ -1142,7 +1149,8 @@ def main(): ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, subject_base=options.subject, - ca_signing_algorithm=options.ca_signing_algorithm) + ca_signing_algorithm=options.ca_signing_algorithm, + ca_type=options.external_ca_type) else: # stage 2 of external CA installation ca.configure_instance(host_name, domain_name, dm_password, diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 8f7201c..12a2e23 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -37,6 +37,12 @@ Directory Manager (existing master) password \fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR Admin user Kerberos password used for connection check .TP +\fB\-\-external\-ca\fR +Generate a CSR for the IPA CA certificate to be signed by an external CA. +.TP +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are generic, ms. Default value is generic. Use ms to include MS template name extension in the CSR. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 582108e..74a9f78 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -87,6 +87,9 @@ An unattended installation that will never prompt for user input \fB\-\-external\-ca\fR Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are generic, ms. Default value is generic. Use ms to include MS template name extension in the CSR. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 521f25d..8e215b0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -420,7 +420,8 @@ class CAInstance(service.Service): pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, master_replication_port=None, - subject_base=None, ca_signing_algorithm=None): + subject_base=None, ca_signing_algorithm=None, + ca_type=None): """Create a CA instance. For Dogtag 9, this may involve creating the pki-ca instance. @@ -450,6 +451,10 @@ class CAInstance(service.Service): self.ca_signing_algorithm = 'SHA256withRSA' else: self.ca_signing_algorithm = ca_signing_algorithm + if ca_type is not None: + self.ca_type = ca_type + else: + self.ca_type = 'generic' # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -607,6 +612,13 @@ class CAInstance(service.Service): config.set("CA", "pki_external", "True") config.set("CA", "pki_external_csr_path", self.csr_file) + if self.ca_type == 'ms': + # Include MS template name extension in the CSR + config.set("CA", "pki_req_ext_add", "True") + config.set("CA", "pki_req_ext_oid", "1.3.6.1.4.1.311.20.2") + config.set("CA", "pki_req_ext_critical", "False") + config.set("CA", "pki_req_ext_data", "1E0A00530075006200430041") + elif self.external == 2: cert = x509.load_certificate_from_file(self.cert_file) cert_file = tempfile.NamedTemporaryFile() -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel