diff --git a/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch b/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
new file mode 100644
index 0000000..09ecea3
--- /dev/null
+++ b/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
@@ -0,0 +1,86 @@
+From 15c68b5ab6441a443f0a135da2b553ee1f9cbcf9 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Fri, 8 Aug 2014 10:15:26 +0200
+Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to
+ pkispawn.
+
+https://fedorahosted.org/freeipa/ticket/4397
+---
+ install/tools/ipa-server-install       |  6 +++---
+ install/tools/man/ipa-server-install.1 | 10 +++++++---
+ ipaserver/install/cainstance.py        | 13 ++++++++++++-
+ 3 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index dfbbb91bf3bb8461333193b5a3e72c3ec06d4582..feea616b089261bf46392d5514e6e3cc9e12fcac 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -174,11 +174,11 @@ def parse_options():
+ 
+     cert_group = OptionGroup(parser, "certificate system options")
+     cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
+-                      default=False, help="Generate a CSR to be signed by an external CA")
++                      default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
+     cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
+-                      help="PEM file containing a certificate signed by the external CA")
++                      help="File containing the IPA CA certificate signed by the external CA in PEM format")
+     cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
+-                      help="PEM file containing the external CA chain")
++                      help="File containing the external CA certificate chain in PEM format")
+     cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
+                       default=True, help="disables pkinit setup steps")
+     cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
+diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
+index 4adf1d037517bb211bd4c5e5e915380777e8f337..d713d2db4cb863dff77e451b22c5a9b1fbbfeecd 100644
+--- a/install/tools/man/ipa-server-install.1
++++ b/install/tools/man/ipa-server-install.1
+@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
+ .SS "CERTIFICATE SYSTEM OPTIONS"
+ .TP
+ \fB\-\-external\-ca\fR
+-Generate a CSR to be signed by an external CA
++Generate a CSR for the IPA CA certificate to be signed by an external CA.
+ .TP
+ \fB\-\-external_cert_file\fR=\fIFILE\fR
+-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
++File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
+ .TP
+ \fB\-\-external_ca_file\fR=\fIFILE\fR
+-PEM file containing the external CA chain
++File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
++
++If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
++
++    openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
+ .TP
+ \fB\-\-no\-pkinit\fR
+ Disables pkinit setup steps
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1..233fa5d95fb7068b22a1c3daaed89176ff14a380 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -578,9 +578,20 @@ def __spawn_instance(self):
+             config.set("CA", "pki_external_csr_path", self.csr_file)
+ 
+         elif self.external == 2:
++            cert_chain, stderr, rc = ipautil.run(
++                ['/usr/bin/openssl', 'crl2pkcs7',
++                 '-certfile', self.cert_chain_file,
++                 '-nocrl'])
++            # Dogtag chokes on the header and footer, remove them
++            # https://bugzilla.redhat.com/show_bug.cgi?id=1127838
++            cert_chain = re.search(
++                r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
++                cert_chain, re.DOTALL).group(0)
++            cert_chain_file = ipautil.write_tmp_file(cert_chain)
++
+             config.set("CA", "pki_external", "True")
+             config.set("CA", "pki_external_ca_cert_path", self.cert_file)
+-            config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
++            config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
+             config.set("CA", "pki_external_step_two", "True")
+ 
+         # Generate configuration file
+-- 
+1.9.3
+
diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
index 53301a0..c650b25 100644
--- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,7 +1,7 @@
-From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001
+From ebaad372cdeb941af1a390f81c8a4d90ea128f9f Mon Sep 17 00:00:00 2001
 From: Martin Kosek <mkosek@redhat.com>
-Date: Wed, 22 May 2013 09:38:50 +0200
-Subject: [PATCH 1001/1006] Hide pkinit functionality from production version
+Date: Thu, 14 Aug 2014 13:34:13 +0200
+Subject: [PATCH] Hide pkinit functionality from production version
 
 Rebased from original patch from Jan Zeleny and Rob Crittenden.
 
@@ -13,10 +13,10 @@ https://fedorahosted.org/freeipa/ticket/616
  3 files changed, 10 insertions(+), 16 deletions(-)
 
 diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
-index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755
+index 4418b41784313121e73b560ee84715ddeba8bc54..ff4cd70147abb2dc6e0486155fb179d4fb1b29e9 100755
 --- a/install/tools/ipa-replica-install
 +++ b/install/tools/ipa-replica-install
-@@ -96,8 +96,6 @@ def parse_options():
+@@ -95,8 +95,6 @@ def parse_options():
      parser.add_option_group(basic_group)
  
      cert_group = OptionGroup(parser, "certificate system options")
@@ -25,7 +25,7 @@ index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659
      cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
                        default=False, help="skip check for updated CA DS schema on the remote master")
      parser.add_option_group(cert_group)
-@@ -122,6 +120,9 @@ def parse_options():
+@@ -121,6 +119,9 @@ def parse_options():
      options, args = parser.parse_args()
      safe_options = parser.get_safe_opts(options)
  
@@ -36,13 +36,13 @@ index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659
          parser.error("you must provide a file generated by ipa-replica-prepare")
  
 diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
-index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755
+index feea616b089261bf46392d5514e6e3cc9e12fcac..5bd22bf18f2b00e26d674b6cbbf81989b4a030cb 100755
 --- a/install/tools/ipa-server-install
 +++ b/install/tools/ipa-server-install
-@@ -173,20 +173,14 @@ def parse_options():
-                       help="PEM file containing a certificate signed by the external CA")
+@@ -179,20 +179,14 @@ def parse_options():
+                       help="File containing the IPA CA certificate signed by the external CA in PEM format")
      cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
-                       help="PEM file containing the external CA chain")
+                       help="File containing the external CA certificate chain in PEM format")
 -    cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
 -                      default=True, help="disables pkinit setup steps")
      cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
@@ -60,7 +60,7 @@ index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b
      cert_group.add_option("--root-ca-file", dest="root_ca_file",
                        help="PEM file with root CA certificate(s) to trust")
      cert_group.add_option("--subject", action="callback", callback=subject_callback,
-@@ -236,6 +230,10 @@ def parse_options():
+@@ -229,6 +223,10 @@ def parse_options():
      options, args = parser.parse_args()
      safe_options = parser.get_safe_opts(options)
  
@@ -72,10 +72,10 @@ index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b
          try:
              validate_dm_password(options.dm_password)
 diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
-index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644
+index 36d078a6b73562cb0047154f4bb7666ab25687b8..a3b89a8a739c6082aa7117cea470e2a9d8dba7f9 100644
 --- a/ipaserver/install/ipa_replica_prepare.py
 +++ b/ipaserver/install/ipa_replica_prepare.py
-@@ -57,9 +57,6 @@ def add_options(cls, parser):
+@@ -56,9 +56,6 @@ def add_options(cls, parser):
          parser.add_option("--no-reverse", dest="no_reverse",
              action="store_true", default=False,
              help="do not create reverse DNS zone")
@@ -85,7 +85,7 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b
          parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
              metavar="FILE",
              help="location of CA PKCS#12 file, default /root/cacert.p12")
-@@ -72,15 +69,10 @@ def add_options(cls, parser):
+@@ -71,15 +68,10 @@ def add_options(cls, parser):
          group.add_option("--http_pkcs12", dest="http_pkcs12",
              metavar="FILE",
              help="install certificate for the http server")
@@ -101,7 +101,7 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b
          parser.add_option_group(group)
  
      def validate_options(self):
-@@ -100,7 +92,10 @@ def validate_options(self):
+@@ -99,7 +91,10 @@ def validate_options(self):
                  "option together with --no-reverse")
  
          #Automatically disable pkinit w/ dogtag until that is supported
@@ -113,5 +113,5 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b
          # If any of the PKCS#12 options are selected, all are required.
          pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
 -- 
-1.8.3.1
+1.9.3
 
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 33b4609..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -uNrp freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py freeipa-3.3.3/ipaserver/install/ntpinstance.py
---- freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py	2013-11-01 10:34:30.000000000 -0500
-+++ freeipa-3.3.3/ipaserver/install/ntpinstance.py	2014-06-26 07:27:19.644718099 -0500
-@@ -43,6 +43,8 @@ class NTPInstance(service.Service):
-         os = ""
-         if ipautil.file_exists("/etc/fedora-release"):
-             os = "fedora"
-+        elif ipautil.file_exists("/etc/centos-release"):
-+            os = "centos"
-         elif ipautil.file_exists("/etc/redhat-release"):
-             os = "rhel"
- 
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index a98a578..ae37d92 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -18,7 +18,7 @@
 
 Name:           ipa
 Version:        3.3.3
-Release:        28%{?dist}
+Release:        28%{?dist}.1
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -93,6 +93,7 @@ Patch0062:      0062-Prohibit-deletion-of-active-subdomain-range.patch
 Patch0063:      0063-extdom-do-not-return-results-from-the-wrong-domain.patch
 Patch0064:      0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
 Patch0065:      0065-Make-ipa-client-automount-backwards-compatible.patch
+Patch0066:      0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
 
 Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
 Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -102,8 +103,6 @@ Patch1005:      1005-Remove-pylint-from-build-process.patch
 Patch1006:      1006-Remove-i18test-from-build-process.patch
 Patch1007:      1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
 
-Patch9999:	ipa-centos-branding.patch
-
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.1
 BuildRequires:  svrcore-devel
@@ -150,6 +149,7 @@ BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_nss_idmap-devel
 BuildRequires:  java-1.7.0-openjdk
+BuildRequires:  rhino
 BuildRequires:  libverto-devel
 BuildRequires:  systemd
 BuildRequires:  libunistring-devel
@@ -208,6 +208,9 @@ Requires: selinux-policy >= 3.12.1-65
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
 Requires: pki-ca >= 10.0.4
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns
@@ -843,8 +846,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
-* Thu Jun 26 2014 Johnny Hughes <johnny@centos.org> - 3.3.3-28.el7.centos
-- Roll in CentOS Branding
+* Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28.1
+- Server installation fails using external signed certificates with
+  "IndexError: list index out of range" (#1130031)
+- Add rhino to BuildRequires to fix Web UI build error
 
 * Tue Apr  1 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28
 - ipa-client-automount fails with incompatibility error when installed against