From 7c03ef0e727ca44ce1228e9896079a1d02227e14 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Aug 14 2014 08:06:27 +0000 Subject: Convert external CA chain to PKCS#7 before passing it to pkispawn. https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin --- diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 1f158a4..393c52d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -179,11 +179,11 @@ def parse_options(): cert_group = OptionGroup(parser, "certificate system options") cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", - default=False, help="Generate a CSR to be signed by an external CA") + default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA") cert_group.add_option("", "--external_cert_file", dest="external_cert_file", - help="PEM file containing a certificate signed by the external CA") + help="File containing the IPA CA certificate signed by the external CA in PEM format") cert_group.add_option("", "--external_ca_file", dest="external_ca_file", - help="PEM file containing the external CA chain") + help="File containing the external CA certificate chain in PEM format") cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", default=True, help="disables pkinit setup steps") cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 4adf1d0..d713d2d 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input .SS "CERTIFICATE SYSTEM OPTIONS" .TP \fB\-\-external\-ca\fR -Generate a CSR to be signed by an external CA +Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP \fB\-\-external_cert_file\fR=\fIFILE\fR -PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file. +File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file. .TP \fB\-\-external_ca_file\fR=\fIFILE\fR -PEM file containing the external CA chain +File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file. + +If the CA certificate chain is in PKCS#7 format you can convert it to PEM using: + + openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE .TP \fB\-\-no\-pkinit\fR Disables pkinit setup steps diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 03aec95..3d0895a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -583,9 +583,20 @@ class CAInstance(service.Service): config.set("CA", "pki_external_csr_path", self.csr_file) elif self.external == 2: + cert_chain, stderr, rc = ipautil.run( + [paths.OPENSSL, 'crl2pkcs7', + '-certfile', self.cert_chain_file, + '-nocrl']) + # Dogtag chokes on the header and footer, remove them + # https://bugzilla.redhat.com/show_bug.cgi?id=1127838 + cert_chain = re.search( + r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)', + cert_chain, re.DOTALL).group(0) + cert_chain_file = ipautil.write_tmp_file(cert_chain) + config.set("CA", "pki_external", "True") config.set("CA", "pki_external_ca_cert_path", self.cert_file) - config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file) + config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") # Generate configuration file