URL: https://github.com/freeipa/freeipa/pull/930 Author: frasertweedale Title: #930: install: allow specifying external CA template Action: opened
PR body: """ This PR allow an admin to specify an AD-CS target certificate template by name or OID, via the new option --external-ca-profile. The profile may be specified by name (string) or OID + version + optional minor version.
https://pagure.io/freeipa/issue/6858
The approach is:
1. preliminary refactor to the IPAOptionParser to allow easily specifying a custom data constructor (this is used for the data type that holds the template specifier).
2. refactor to reduce duplication of external CA type enum values.
3. the main thing: - add data type for template specifier - add ipa-server-install `--external-ca-profile` CLI option - update CA installation to add the appropriate *pkispawn* config based on the template specifier - update *ipa-server-install* man page
4. add the `external-ca-profile` option to *ipa-ca-install* and update man page.
**NOTE FOR TESTERS**
*python-cryptography* has a bug parsing long OIDs. It is fixed as of v1.9 (f27). AD-CS creates and uses OIDs long enough to trigger the bug as a matter of course. Apply the following small diff to your *python-cryptography* lib to avoid the bug:
https://github.com/frasertweedale/cryptography/blob/effeb600057a93f7cb95df1b...
**HOW TO TEST**
1. Install AD-CS in a Windows machine and create a custom profile by copying the *SubCA* profile.
2. Two-step external CA ipa-server-install:
``` $ ipa-server-install \ --external-ca --external-ca-type=ms-cs \ --external-ca-profile=1.3.6.1.4.1.311.21.8.8950086.10656446.2706058.12775672.480128.147.7130143.4405632:1 ```
(Use the actual OID of the custom profile). If everything works, hooray!
3. Start over with ca-less deployment. Then add CA via ``ipa-ca-install --external-ca-... # as before``. If everything works, hooray. """
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/930/head:pr930 git checkout pr930
URL: https://github.com/freeipa/freeipa/pull/930 Author: frasertweedale Title: #930: install: allow specifying external CA template Action: closed
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/930/head:pr930 git checkout pr930
freeipa-devel@lists.fedorahosted.org