Re: [Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
Dne 15.10.2014 v 16:42 Petr Vobornik napsal(a): On 8.10.2014 13:35, Jan Cholasta wrote: Hi, the attached patch provides an additional fix for https://fedorahosted.org/freeipa/ticket/4447. Honza Requires rebase because of `ca_type=options.external_ca_type)`. Works fine with older version. Rebased on top of current ipa-4-1, patch attached. -- Jan Cholasta From 5a3a52252f9d157439796236bb8208deb52113bd Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 12:18:06 +0200 Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install The --ca-signing-algorithm option is available in ipa-server-install, make it available in ipa-ca-install as well. https://fedorahosted.org/freeipa/ticket/4447 --- install/tools/ipa-ca-install | 11 +-- install/tools/man/ipa-ca-install.1 | 3 +++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index b56179f..c1bc22f 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -74,6 +74,10 @@ def parse_options(): parser.add_option(--external-cert-file, dest=external_cert_files, action=append, metavar=FILE, help=File containing the IPA CA certificate and the external CA certificate chain) +parser.add_option(--ca-signing-algorithm, dest=ca_signing_algorithm, + type=choice, + choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), + help=Signing algorithm of the IPA CA certificate) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -329,18 +333,21 @@ def install_master(safe_options, options): ca.create_ra_agent_db = False if external == 0: ca.configure_instance(host_name, domain_name, dm_password, - dm_password, subject_base=subject_base) + dm_password, subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm, ca_type=options.external_ca_type) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, cert_file=external_cert_file.name, cert_chain_file=external_ca_file.name, - subject_base=subject_base) + subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index ba31a28..aa18698 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -46,6 +46,9 @@ Type of the external CA. Possible values are generic, ms-cs. Default value i \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP +\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +.TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation .TP -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
On 16.10.2014 10:00, Jan Cholasta wrote: Dne 15.10.2014 v 16:42 Petr Vobornik napsal(a): On 8.10.2014 13:35, Jan Cholasta wrote: Hi, the attached patch provides an additional fix for https://fedorahosted.org/freeipa/ticket/4447. Honza Requires rebase because of `ca_type=options.external_ca_type)`. Works fine with older version. Rebased on top of current ipa-4-1, patch attached. ACK Pushed to: master: cf860c71545fe93bebcb7dcb426795240e776eb3 ipa-4-1: e50d197fc0b79b9aebf6b820a7a672af6777d876 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
On 8.10.2014 13:35, Jan Cholasta wrote: Hi, the attached patch provides an additional fix for https://fedorahosted.org/freeipa/ticket/4447. Honza Requires rebase because of `ca_type=options.external_ca_type)`. Works fine with older version. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
Hi, the attached patch provides an additional fix for https://fedorahosted.org/freeipa/ticket/4447. Honza -- Jan Cholasta From d0f77421f74b026de15966075e7687ff0350ed54 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 12:18:06 +0200 Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install The --ca-signing-algorithm option is available in ipa-server-install, make it available in ipa-ca-install as well. https://fedorahosted.org/freeipa/ticket/4447 --- install/tools/ipa-ca-install | 13 ++--- install/tools/man/ipa-ca-install.1 | 3 +++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index df8e34b..653b615 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -71,6 +71,10 @@ def parse_options(): parser.add_option(--external-cert-file, dest=external_cert_files, action=append, metavar=FILE, help=File containing the IPA CA certificate and the external CA certificate chain) +parser.add_option(--ca-signing-algorithm, dest=ca_signing_algorithm, + type=choice, + choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), + help=Signing algorithm of the IPA CA certificate) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -313,17 +317,20 @@ def install_master(safe_options, options): ca.create_ra_agent_db = False if external == 0: ca.configure_instance(host_name, domain_name, dm_password, - dm_password, subject_base=subject_base) + dm_password, subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=subject_base) + subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, cert_file=external_cert_file.name, cert_chain_file=external_ca_file.name, - subject_base=subject_base) + subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 8f7201c..a58ac23 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -40,6 +40,9 @@ Admin user Kerberos password used for connection check \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP +\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +.TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation .TP -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel