Hi,
the attached patch provides an additional fix for
<https://fedorahosted.org/freeipa/ticket/4447>.
Honza
--
Jan Cholasta
>From d0f77421f74b026de15966075e7687ff0350ed54 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 8 Oct 2014 12:18:06 +0200
Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in
ipa-ca-install
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.
https://fedorahosted.org/freeipa/ticket/4447
---
install/tools/ipa-ca-install | 13 ++++++++++---
install/tools/man/ipa-ca-install.1 | 3 +++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index df8e34b..653b615 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -71,6 +71,10 @@ def parse_options():
parser.add_option("--external-cert-file", dest="external_cert_files",
action="append", metavar="FILE",
help="File containing the IPA CA certificate and the external CA certificate chain")
+ parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
+ type="choice",
+ choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+ help="Signing algorithm of the IPA CA certificate")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -313,17 +317,20 @@ def install_master(safe_options, options):
ca.create_ra_agent_db = False
if external == 0:
ca.configure_instance(host_name, domain_name, dm_password,
- dm_password, subject_base=subject_base)
+ dm_password, subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=external_cert_file.name,
cert_chain_file=external_ca_file.name,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index 8f7201c..a58ac23 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -40,6 +40,9 @@ Admin user Kerberos password used for connection check
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
