Dne 15.10.2014 v 16:42 Petr Vobornik napsal(a):
On 8.10.2014 13:35, Jan Cholasta wrote:
Hi,
the attached patch provides an additional fix for
https://fedorahosted.org/freeipa/ticket/4447.
Honza
Requires rebase because of `ca_type=options.external_ca_type)`. Works
fine with older version.
Rebased on top of current ipa-4-1, patch attached.
--
Jan Cholasta
From 5a3a52252f9d157439796236bb8208deb52113bd Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 12:18:06 +0200
Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in
ipa-ca-install
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.
https://fedorahosted.org/freeipa/ticket/4447
---
install/tools/ipa-ca-install | 11 +--
install/tools/man/ipa-ca-install.1 | 3 +++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index b56179f..c1bc22f 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -74,6 +74,10 @@ def parse_options():
parser.add_option(--external-cert-file, dest=external_cert_files,
action=append, metavar=FILE,
help=File containing the IPA CA certificate and the external CA certificate chain)
+parser.add_option(--ca-signing-algorithm, dest=ca_signing_algorithm,
+ type=choice,
+ choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+ help=Signing algorithm of the IPA CA certificate)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -329,18 +333,21 @@ def install_master(safe_options, options):
ca.create_ra_agent_db = False
if external == 0:
ca.configure_instance(host_name, domain_name, dm_password,
- dm_password, subject_base=subject_base)
+ dm_password, subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm,
ca_type=options.external_ca_type)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=external_cert_file.name,
cert_chain_file=external_ca_file.name,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index ba31a28..aa18698 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -46,6 +46,9 @@ Type of the external CA. Possible values are generic, ms-cs. Default value i
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
