From 3f5660973251fe4b178e6486b6b86fbdd162d4d6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jan 11 2017 14:27:55 +0000 Subject: Indicate that ca subject / subject base uses LDAP RDN order Update man pages and help output to indicate that --subject-base and --ca-subject options interpret their arguments in LDAP order. Fixes: https://fedorahosted.org/freeipa/ticket/6455 Reviewed-By: Christian Heimes --- diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 29952a4..42906d4 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -80,12 +80,14 @@ def parse_options(): default=None, help=( "The certificate subject base " - "(default O=)")) + "(default O=). " + "RDNs are in LDAP order (most specific RDN first).")) parser.add_option("--ca-subject", dest="ca_subject", default=None, help=( "The CA certificate subject DN " - "(default CN=Certificate Authority,O=)")) + "(default CN=Certificate Authority,O=). " + "RDNs are in LDAP order (most specific RDN first).")) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 16e5431..76ce115 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -47,10 +47,10 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-ca\-subject\fR=\fISUBJECT\fR -The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME) +The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first). .TP \fB\-\-subject\-base\fR=\fISUBJECT\fR -The subject base for certificates issued by IPA (default O=REALM.NAME) +The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first). .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 9568888..8bfbefb 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -123,10 +123,10 @@ Name of the Kerberos KDC SSL certificate to install File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files. .TP \fB\-\-ca\-subject\fR=\fISUBJECT\fR -The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME) +The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first). .TP \fB\-\-subject\-base\fR=\fISUBJECT\fR -The subject base for certificates issued by IPA (default O=REALM.NAME) +The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first). .TP \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index cc52b90..af8cc53 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -434,7 +434,10 @@ class CAInstallInterface(dogtag.DogtagInstallInterface, subject_base = knob( str, None, - description="The certificate subject base (default O=)", + description=( + "The certificate subject base (default O=). " + "RDNs are in LDAP order (most specific RDN first)." + ), cli_deprecated_names=['--subject'], ) subject_base = master_install_only(subject_base) @@ -447,7 +450,8 @@ class CAInstallInterface(dogtag.DogtagInstallInterface, str, None, description=( "The CA certificate subject DN " - "(default CN=Certificate Authority,O=)" + "(default CN=Certificate Authority,O=). " + "RDNs are in LDAP order (most specific RDN first)." ), ) ca_subject = master_install_only(ca_subject)