Merge pull request #3361 from hosseinsh/entrust-cross-signed-subCA

Entrust cross signed sub ca

docs/administration.rst

@@ -941,12 +941,20 @@ The following parameters have to be set in the configuration files.
 
         If there is a config variable ENTRUST_PRODUCT_<upper(authority.name)> take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names.
 
+
+.. data:: ENTRUST_CROSS_SIGNED_RSA
+    :noindex:
+
+        This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA.
+
+
 .. data:: ENTRUST_USE_DEFAULT_CLIENT_ID
     :noindex:
 
         If set to True, Entrust will use the primary client ID of 1, which applies to most use-case.
         Otherwise, Entrust will first lookup the clientId before ordering the certificate.
 
+
 Verisign Issuer Plugin
 ~~~~~~~~~~~~~~~~~~~~~~
 

lemur/plugins/lemur_entrust/plugin.py

@@ -9,7 +9,7 @@ from lemur.constants import CRLReason
 from lemur.plugins import lemur_entrust as entrust
 from lemur.plugins.bases import IssuerPlugin, SourcePlugin
 from lemur.extensions import metrics
-from lemur.common.utils import validate_conf
+from lemur.common.utils import validate_conf, get_key_type_from_certificate
 
 
 def log_status_code(r, *args, **kwargs):
@@ -259,6 +259,9 @@ class EntrustIssuerPlugin(IssuerPlugin):
         else:
             chain = response_dict['chainCerts'][1]
 
+        if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") and get_key_type_from_certificate(cert) == "RSA2048":
+            chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA")
+
         log_data["message"] = "Received Chain"
         log_data["options"] = f"chain: {chain}"
         current_app.logger.info(log_data)