diff --git a/docs/administration.rst b/docs/administration.rst index 025b47b1..9af08407 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -941,12 +941,20 @@ The following parameters have to be set in the configuration files. If there is a config variable ENTRUST_PRODUCT_ take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names. + +.. data:: ENTRUST_CROSS_SIGNED_RSA + :noindex: + + This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA. + + .. data:: ENTRUST_USE_DEFAULT_CLIENT_ID :noindex: If set to True, Entrust will use the primary client ID of 1, which applies to most use-case. Otherwise, Entrust will first lookup the clientId before ordering the certificate. + Verisign Issuer Plugin ~~~~~~~~~~~~~~~~~~~~~~ diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 1efc350e..14bf9646 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -9,7 +9,7 @@ from lemur.constants import CRLReason from lemur.plugins import lemur_entrust as entrust from lemur.plugins.bases import IssuerPlugin, SourcePlugin from lemur.extensions import metrics -from lemur.common.utils import validate_conf +from lemur.common.utils import validate_conf, get_key_type_from_certificate def log_status_code(r, *args, **kwargs): @@ -259,6 +259,9 @@ class EntrustIssuerPlugin(IssuerPlugin): else: chain = response_dict['chainCerts'][1] + if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") and get_key_type_from_certificate(cert) == "RSA2048": + chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") + log_data["message"] = "Received Chain" log_data["options"] = f"chain: {chain}" current_app.logger.info(log_data)