|
 |
ac7d03 |
From 993d41e5105653412cec40b8e2a386da802a62bb Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
Date: Mon, 24 Apr 2017 07:10:41 +0000
|
|
|
ac7d03 |
Subject: [PATCH] ipa-cacert-manage: add --external-ca-type
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Add the `--external-ca-type`, as known from `ipa-server-install` and
|
|
|
ac7d03 |
`ipa-ca-install`, to `ipa-cacert-manage`.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
This allows creating IPA CA CSRs suitable for use with Microsoft CS using
|
|
|
ac7d03 |
`ipa-cacert-manage`:
|
|
|
ac7d03 |
|
|
|
ac7d03 |
```
|
|
|
ac7d03 |
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
|
|
|
ac7d03 |
```
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/5799
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
install/tools/man/ipa-cacert-manage.1 | 3 +++
|
|
|
ac7d03 |
ipaserver/install/ipa_cacert_manage.py | 21 +++++++++++++++++----
|
|
|
ac7d03 |
2 files changed, 20 insertions(+), 4 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
|
|
|
ac7d03 |
index 128edd8bd2500a09f406da8dc01a53b269007ab0..e36258d0f96aa1050fe88b05f4fe9a1a8f9a7978 100644
|
|
|
ac7d03 |
--- a/install/tools/man/ipa-cacert-manage.1
|
|
|
ac7d03 |
+++ b/install/tools/man/ipa-cacert-manage.1
|
|
|
ac7d03 |
@@ -78,6 +78,9 @@ Sign the renewed certificate by itself.
|
|
|
ac7d03 |
\fB\-\-external\-ca\fR
|
|
|
ac7d03 |
Sign the renewed certificate by external CA.
|
|
|
ac7d03 |
.TP
|
|
|
ac7d03 |
+\fB\-\-external\-ca\-type\fR=\fITYPE\fR
|
|
|
ac7d03 |
+Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.
|
|
|
ac7d03 |
+.TP
|
|
|
ac7d03 |
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
|
|
|
ac7d03 |
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
|
|
|
ac7d03 |
.RE
|
|
|
ac7d03 |
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
index 6d28c62b36b3909c9a3d95a5c6c84d1779fe4c33..3b732e4dcbb5c9b4dfbb9e3608bc7d7afd3e10c2 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
@@ -54,6 +54,12 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
"--self-signed", dest='self_signed',
|
|
|
ac7d03 |
action='store_true',
|
|
|
ac7d03 |
help="Sign the renewed certificate by itself")
|
|
|
ac7d03 |
+ ext_cas = ("generic", "ms-cs")
|
|
|
ac7d03 |
+ renew_group.add_option(
|
|
|
ac7d03 |
+ "--external-ca-type", dest="external_ca_type",
|
|
|
ac7d03 |
+ type="choice", choices=ext_cas,
|
|
|
ac7d03 |
+ metavar="{{{0}}}".format(",".join(ext_cas)),
|
|
|
ac7d03 |
+ help="Type of the external CA. Default: generic")
|
|
|
ac7d03 |
renew_group.add_option(
|
|
|
ac7d03 |
"--external-ca", dest='self_signed',
|
|
|
ac7d03 |
action='store_false',
|
|
|
ac7d03 |
@@ -179,7 +185,12 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
def renew_external_step_1(self, ca):
|
|
|
ac7d03 |
print("Exporting CA certificate signing request, please wait")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse')
|
|
|
ac7d03 |
+ if self.options.external_ca_type == 'ms-cs':
|
|
|
ac7d03 |
+ profile = 'SubCA'
|
|
|
ac7d03 |
+ else:
|
|
|
ac7d03 |
+ profile = ''
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse', profile)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
print(("The next step is to get %s signed by your CA and re-run "
|
|
|
ac7d03 |
"ipa-cacert-manage as:" % paths.IPA_CA_CSR))
|
|
|
ac7d03 |
@@ -286,11 +297,11 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
print("CA certificate successfully renewed")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent'):
|
|
|
ac7d03 |
+ def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent', profile=''):
|
|
|
ac7d03 |
timeout = api.env.startup_timeout + 60
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.log.debug("resubmitting certmonger request '%s'", self.request_id)
|
|
|
ac7d03 |
- certmonger.resubmit_request(self.request_id, ca=ca, profile='')
|
|
|
ac7d03 |
+ certmonger.resubmit_request(self.request_id, ca=ca, profile=profile)
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
state = certmonger.wait_for_request(self.request_id, timeout)
|
|
|
ac7d03 |
except RuntimeError:
|
|
|
ac7d03 |
@@ -304,7 +315,9 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
"please check the request manually" % self.request_id)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.log.debug("modifying certmonger request '%s'", self.request_id)
|
|
|
ac7d03 |
- certmonger.modify(self.request_id, ca='dogtag-ipa-ca-renew-agent')
|
|
|
ac7d03 |
+ certmonger.modify(self.request_id,
|
|
|
ac7d03 |
+ ca='dogtag-ipa-ca-renew-agent',
|
|
|
ac7d03 |
+ profile='')
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def install(self):
|
|
|
ac7d03 |
print("Installing CA certificate, please wait")
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.3
|
|
|
ac7d03 |
|