Skip to content

Commit

Permalink
ACME PKI issuer: add support for Authority ID or DN
Browse files Browse the repository at this point in the history 
Allow issuing ACME certificates using a specific authority.
This would allow FreeIPA to specify a particular subCA to handle ACME
certificates.

Fixes: #4902

Signed-off-by: Alexander Bokovoy <[email protected]>
  • Loading branch information
@abbra
abbra committed Nov 18, 2024
1 parent 475b58c commit 807f4ee
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
19 changes: 18 additions & 1 deletion base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@
import org.mozilla.jss.netscape.security.util.Utils;
import org.mozilla.jss.netscape.security.x509.RevocationReason;
import org.mozilla.jss.netscape.security.x509.X509CertImpl;
import org.mozilla.jss.netscape.security.x509.X500Name;

import com.netscape.certsrv.ca.CACertClient;
import com.netscape.certsrv.ca.CAClient;
import com.netscape.certsrv.ca.AuthorityID;
import com.netscape.certsrv.cert.CertData;
import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.cert.CertRequestInfo;
Expand All @@ -48,6 +50,8 @@ public class PKIIssuer extends ACMEIssuer {

private ClientConfig clientConfig = new ClientConfig();
private String profile;
private AuthorityID authority_id;
private X500Name authority_dn;

public String getProfile() {
return profile;
Expand Down Expand Up @@ -108,6 +112,18 @@ public void init() throws Exception {

profile = config.getParameter("profile");
logger.info("- profile: " + profile);

String aid = config.getParameter("authority-id");
if (aid != null) {
authority_id = new AuthorityID(aid);
logger.info("- authority-id: " + aid);
}

String adn = config.getParameter("authority-dn");
if (adn != null) {
authority_dn = new X500Name(adn);
logger.info("- authority-dn: " + adn);
}
}

@Override
Expand Down Expand Up @@ -164,7 +180,8 @@ public String issueCertificate(PKCS10 pkcs10) throws Exception {

logger.info("Request:\n" + certEnrollmentRequest);

CertRequestInfos infos = certClient.enrollRequest(certEnrollmentRequest, null, null);
CertRequestInfos infos = certClient.enrollRequest(
certEnrollmentRequest, authority_id, authority_dn);

logger.info("Responses:");
CertRequestInfo info = infos.getEntries().iterator().next();
Expand Down
26 changes: 26 additions & 0 deletions base/server/python/pki/server/cli/acme.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -984,6 +984,15 @@ def execute(self, argv):
if profile:
print(' Certificate Profile: %s' % profile)

authority_id = config.get('authority-id')
if authority_id:
print(' Authority ID: %s' % authority_id)

authority_dn = config.get('authority-dn')
if authority_dn:
print(' Authority DN: %s' % authority_dn)



class ACMEIssuerModifyCLI(pki.cli.CLI):

Expand Down Expand Up @@ -1163,6 +1172,23 @@ def execute(self, argv):
profile = pki.util.read_text(' Certificate Profile', default=profile, required=True)
pki.util.set_property(config, 'profile', profile)

print()
print('Enter ID of the authority for issuing ACME certificates '
'(empty for main CA, subCA ID otherwise).')
authority_id = config.get('authority-id')
authority_id = pki.util.read_text(' Authority ID', default=authority_id, required=True)
if authority_id:
pki.util.set_property(config, 'authority-id', authority_id)

if not authority_id:
print()
print('Enter DN of the authority for issuing ACME certificates '
'(empty for main CA, subCA DN otherwise).')
authority_dn = config.get('authority-dn')
authority_dn = pki.util.read_text(' Authority ID', default=authority_id, required=True)
if authority_dn:
pki.util.set_property(config, 'authority-dn', authority_dn)

subsystem.update_issuer_config(config)


Expand Down

0 comments on commit 807f4ee

Please sign in to comment.