|
 |
031d60 |
From 15c68b5ab6441a443f0a135da2b553ee1f9cbcf9 Mon Sep 17 00:00:00 2001
|
|
|
031d60 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
031d60 |
Date: Fri, 8 Aug 2014 10:15:26 +0200
|
|
|
031d60 |
Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to
|
|
|
031d60 |
pkispawn.
|
|
|
031d60 |
|
|
|
031d60 |
https://fedorahosted.org/freeipa/ticket/4397
|
|
|
031d60 |
---
|
|
|
031d60 |
install/tools/ipa-server-install | 6 +++---
|
|
|
031d60 |
install/tools/man/ipa-server-install.1 | 10 +++++++---
|
|
|
031d60 |
ipaserver/install/cainstance.py | 13 ++++++++++++-
|
|
|
031d60 |
3 files changed, 22 insertions(+), 7 deletions(-)
|
|
|
031d60 |
|
|
|
031d60 |
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
|
|
|
031d60 |
index dfbbb91bf3bb8461333193b5a3e72c3ec06d4582..feea616b089261bf46392d5514e6e3cc9e12fcac 100755
|
|
|
031d60 |
--- a/install/tools/ipa-server-install
|
|
|
031d60 |
+++ b/install/tools/ipa-server-install
|
|
|
031d60 |
@@ -174,11 +174,11 @@ def parse_options():
|
|
|
031d60 |
|
|
|
031d60 |
cert_group = OptionGroup(parser, "certificate system options")
|
|
|
031d60 |
cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
|
|
|
031d60 |
- default=False, help="Generate a CSR to be signed by an external CA")
|
|
|
031d60 |
+ default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
|
|
|
031d60 |
cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
|
|
|
031d60 |
- help="PEM file containing a certificate signed by the external CA")
|
|
|
031d60 |
+ help="File containing the IPA CA certificate signed by the external CA in PEM format")
|
|
|
031d60 |
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
|
|
|
031d60 |
- help="PEM file containing the external CA chain")
|
|
|
031d60 |
+ help="File containing the external CA certificate chain in PEM format")
|
|
|
031d60 |
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
|
031d60 |
default=True, help="disables pkinit setup steps")
|
|
|
031d60 |
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
|
|
|
031d60 |
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
|
|
|
031d60 |
index 4adf1d037517bb211bd4c5e5e915380777e8f337..d713d2db4cb863dff77e451b22c5a9b1fbbfeecd 100644
|
|
|
031d60 |
--- a/install/tools/man/ipa-server-install.1
|
|
|
031d60 |
+++ b/install/tools/man/ipa-server-install.1
|
|
|
031d60 |
@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
|
|
|
031d60 |
.SS "CERTIFICATE SYSTEM OPTIONS"
|
|
|
031d60 |
.TP
|
|
|
031d60 |
\fB\-\-external\-ca\fR
|
|
|
031d60 |
-Generate a CSR to be signed by an external CA
|
|
|
031d60 |
+Generate a CSR for the IPA CA certificate to be signed by an external CA.
|
|
|
031d60 |
.TP
|
|
|
031d60 |
\fB\-\-external_cert_file\fR=\fIFILE\fR
|
|
|
031d60 |
-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
|
|
|
031d60 |
+File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
|
|
|
031d60 |
.TP
|
|
|
031d60 |
\fB\-\-external_ca_file\fR=\fIFILE\fR
|
|
|
031d60 |
-PEM file containing the external CA chain
|
|
|
031d60 |
+File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
|
|
|
031d60 |
+
|
|
|
031d60 |
+If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
|
|
|
031d60 |
+
|
|
|
031d60 |
+ openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
|
|
|
031d60 |
.TP
|
|
|
031d60 |
\fB\-\-no\-pkinit\fR
|
|
|
031d60 |
Disables pkinit setup steps
|
|
|
031d60 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
031d60 |
index 126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1..233fa5d95fb7068b22a1c3daaed89176ff14a380 100644
|
|
|
031d60 |
--- a/ipaserver/install/cainstance.py
|
|
|
031d60 |
+++ b/ipaserver/install/cainstance.py
|
|
|
031d60 |
@@ -578,9 +578,20 @@ def __spawn_instance(self):
|
|
|
031d60 |
config.set("CA", "pki_external_csr_path", self.csr_file)
|
|
|
031d60 |
|
|
|
031d60 |
elif self.external == 2:
|
|
|
031d60 |
+ cert_chain, stderr, rc = ipautil.run(
|
|
|
031d60 |
+ ['/usr/bin/openssl', 'crl2pkcs7',
|
|
|
031d60 |
+ '-certfile', self.cert_chain_file,
|
|
|
031d60 |
+ '-nocrl'])
|
|
|
031d60 |
+ # Dogtag chokes on the header and footer, remove them
|
|
|
031d60 |
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1127838
|
|
|
031d60 |
+ cert_chain = re.search(
|
|
|
031d60 |
+ r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
|
|
|
031d60 |
+ cert_chain, re.DOTALL).group(0)
|
|
|
031d60 |
+ cert_chain_file = ipautil.write_tmp_file(cert_chain)
|
|
|
031d60 |
+
|
|
|
031d60 |
config.set("CA", "pki_external", "True")
|
|
|
031d60 |
config.set("CA", "pki_external_ca_cert_path", self.cert_file)
|
|
|
031d60 |
- config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
|
|
|
031d60 |
+ config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
|
|
|
031d60 |
config.set("CA", "pki_external_step_two", "True")
|
|
|
031d60 |
|
|
|
031d60 |
# Generate configuration file
|
|
|
031d60 |
--
|
|
|
031d60 |
1.9.3
|
|
|
031d60 |
|