diff options
author | Martin Basti <mbasti@redhat.com> | 2015-07-01 14:02:24 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-02 10:59:53 +0000 |
commit | 2e329ecdc7c72045f276319d18df28549a51d4b9 (patch) | |
tree | bc817231e39128722f6a71110f478193ff867042 | |
parent | b5cb95431bffd39475fa82a453ef057890425529 (diff) | |
download | freeipa-2e329ecdc7c72045f276319d18df28549a51d4b9.tar.gz freeipa-2e329ecdc7c72045f276319d18df28549a51d4b9.tar.xz freeipa-2e329ecdc7c72045f276319d18df28549a51d4b9.zip |
KRA Install: check replica file if contains req. certificates
https://fedorahosted.org/freeipa/ticket/5059
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | ipaserver/install/kra.py | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index b55dfb702..2586b4af2 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -3,7 +3,9 @@ # from ipalib import api, errors +from ipapython import certdb from ipapython import dogtag +from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import cainstance from ipaserver.install import krainstance @@ -34,6 +36,20 @@ def install_check(api, replica_config, options): if not api.Command.kra_is_enabled()['result']: raise RuntimeError("KRA is not installed on the master system") + with certdb.NSSDatabase() as tmpdb: + pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) + tmpdb.create_db(pw.name) + tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name, + replica_config.dirman_password) + kra_cert_nicknames = [ + "storageCert cert-pki-kra", "transportCert cert-pki-kra", + "auditSigningCert cert-pki-kra" + ] + if not all(tmpdb.has_nickname(nickname) + for nickname in kra_cert_nicknames): + raise RuntimeError("Missing KRA certificates, please create a " + "new replica file.") + def install(api, replica_config, options): subject = dsinstance.DsInstance().find_subject_base() |