Installation with external CA produces a CSR with legacy header that is unrecognized by python-cryptography 35

[flo-renaud]

IPA server installation with an external CA is done in a 2-step process, the first step produces a CSR that needs to be signed by the external CA.
The CSR produced by PKI is unrecognized by python-cryptography 35 (shipped in fedora rawhide) because it contains a header BEGIN NEW CERTIFICATE REQUEST instead of BEGIN CERTIFICATE REQUEST. pkispawn should produce a CSR with the most recent format (the NEW is still acceptable but generators should not be doing it per https://datatracker.ietf.org/doc/html/rfc7468#section-7):

   The label "NEW CERTIFICATE REQUEST" is also in wide use.  Generators
   conforming to this document MUST generate "CERTIFICATE REQUEST"
   labels.  Parsers MAY treat "NEW CERTIFICATE REQUEST" as equivalent to
   "CERTIFICATE REQUEST".

See the code in

pki/base/common/python/pki/nssdb.py

Lines 811 to 815 in 292ec60

	# add header and footer
	with open(request_file, 'w') as f:
	f.write('-----BEGIN NEW CERTIFICATE REQUEST-----\n')
	f.write(b64_request)
	f.write('-----END NEW CERTIFICATE REQUEST-----\n')

.

[edewata]

This issue has been fixed in the master branch (PKI 11.5).