diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-09-24 16:41:47 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 08:50:47 +0200 |
| commit | 88083887c994ab505d6e07151e5dd26b56bb7732 (patch) | |
| tree | fde6a1a529a9c5969082acf081854672154fa22a /install | |
| parent | 3aa0731fc660ea3d111a44926ab5dea71dc510e7 (diff) | |
| download | freeipa-88083887c994ab505d6e07151e5dd26b56bb7732.tar.gz freeipa-88083887c994ab505d6e07151e5dd26b56bb7732.tar.xz freeipa-88083887c994ab505d6e07151e5dd26b56bb7732.zip | |
CA-less installer options usability fixes
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install')
| -rwxr-xr-x | install/tools/ipa-server-install | 165 | ||||
| -rw-r--r-- | install/tools/man/ipa-replica-prepare.1 | 24 | ||||
| -rw-r--r-- | install/tools/man/ipa-server-certinstall.1 | 6 | ||||
| -rw-r--r-- | install/tools/man/ipa-server-install.1 | 28 |
4 files changed, 133 insertions, 90 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6988b1068..636ba7496 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -215,20 +215,45 @@ def parse_options(): help=SUPPRESS_HELP) cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", default=True, help="disables pkinit setup steps") - cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", - help="PKCS#12 file containing the Directory Server SSL certificate") - cert_group.add_option("--http_pkcs12", dest="http_pkcs12", - help="PKCS#12 file containing the Apache Server SSL certificate") - cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - help="PKCS#12 file containing the Kerberos KDC SSL certificate") + cert_group.add_option("--dirsrv-cert-file", dest="dirsrv_cert_files", + action="append", metavar="FILE", + help="File containing the Directory Server SSL certificate and private key") + cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--http-cert-file", dest="http_cert_files", + action="append", metavar="FILE", + help="File containing the Apache Server SSL certificate and private key") + cert_group.add_option("--http_pkcs12", dest="http_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--pkinit-cert-file", dest="pkinit_cert_files", + action="append", metavar="FILE", + help="File containing the Kerberos KDC SSL certificate and private key") + cert_group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files", + action="append", + help=SUPPRESS_HELP) + cert_group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True, + metavar="PIN", + help="The password to unlock the Directory Server private key") cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, - help="The password of the Directory Server PKCS#12 file") + help=SUPPRESS_HELP) + cert_group.add_option("--http-pin", dest="http_pin", sensitive=True, + metavar="PIN", + help="The password to unlock the Apache Server private key") cert_group.add_option("--http_pin", dest="http_pin", sensitive=True, - help="The password of the Apache Server PKCS#12 file") - cert_group.add_option("--pkinit_pin", dest="pkinit_pin", - help="The password of the Kerberos KDC PKCS#12 file") - cert_group.add_option("--root-ca-file", dest="root_ca_file", - help="PEM file containing the CA certificate for the PKCS#12 files") + help=SUPPRESS_HELP) + cert_group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True, + metavar="PIN", + help="The password to unlock the Kerberos KDC private key") + cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True, + help=SUPPRESS_HELP) + cert_group.add_option("--ca-cert-file", dest="ca_cert_files", + action="append", metavar="FILE", + help="File containing CA certificates for the service certificate files") + cert_group.add_option("--root-ca-file", dest="ca_cert_files", + action="append", + help=SUPPRESS_HELP) cert_group.add_option("--subject", action="callback", callback=subject_callback, type="string", help="The certificate subject base (default O=<realm-name>)") @@ -311,22 +336,25 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error("You must specify at least one --forwarder option or --no-forwarders option") - # If any of the PKCS#12 options are selected, all are required. - pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) - pkcs12_opt = (options.pkinit_pkcs12,) - if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): - parser.error("--dirsrv_pkcs12 and --http_pkcs12 are required if any " - "PKCS#12 options are used.") + # If any of the key file options are selected, all are required. + cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) + cert_file_opt = (options.pkinit_cert_files,) + if any(cert_file_req + cert_file_opt) and not all(cert_file_req): + parser.error("--dirsrv-cert-file and --http-cert-file are required if " + "any key file options are used.") if options.unattended: - if options.dirsrv_pkcs12 and options.dirsrv_pin is None: - parser.error("You must specify --dirsrv_pin with --dirsrv_pkcs12") - if options.http_pkcs12 and options.http_pin is None: - parser.error("You must specify --http_pin with --http_pkcs12") - if options.pkinit_pkcs12 and options.pkinit_pin is None: - parser.error("You must specify --pkinit_pin with --pkinit_pkcs12") - - if options.external_cert_files and options.dirsrv_pkcs12: + if options.dirsrv_cert_files and options.dirsrv_pin is None: + parser.error( + "You must specify --dirsrv-pin with --dirsrv-cert-file") + if options.http_cert_files and options.http_pin is None: + parser.error( + "You must specify --http-pin with --http-cert-file") + if options.pkinit_cert_files and options.pkinit_pin is None: + parser.error( + "You must specify --pkinit-pin with --pkinit-cert-file") + + if options.external_cert_files and options.dirsrv_cert_files: parser.error("Service certificate file options cannot be used with " "the external CA options.") @@ -334,8 +362,9 @@ def parse_options(): if options.external_cert_files: parser.error("You cannot specify --external-cert-file " "together with --external-ca") - if options.dirsrv_pkcs12: - parser.error("You cannot specify PKCS#12 options together with --external-ca") + if options.dirsrv_cert_files: + parser.error("You cannot specify service certificate file options " + "together with --external-ca") if (options.external_cert_files and any(not os.path.isabs(path) for path in options.external_cert_files)): @@ -761,7 +790,7 @@ def main(): options.external_cert_files, options.subject) # We only set up the CA if the PKCS#12 options are not given. - if options.dirsrv_pkcs12: + if options.dirsrv_cert_files: setup_ca = False setup_kra = False else: @@ -903,43 +932,58 @@ def main(): if not options.subject: options.subject = DN(('O', realm_name)) - ca_file = options.root_ca_file - - if options.http_pkcs12: + if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( - "Enter %s unlock" % options.http_pkcs12, + "Enter Apache Server private key unlock", confirm=False, validate=False) if options.http_pin is None: - sys.exit("%s unlock password required" % options.http_pkcs12) - http_pkcs12_info = (options.http_pkcs12, options.http_pin) - http_ca_cert = installutils.check_pkcs12( - http_pkcs12_info, ca_file, host_name) - - if options.dirsrv_pkcs12: + sys.exit( + "Apache Server private key unlock password required") + http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12( + cert_files=options.http_cert_files, + key_password=options.http_pin, + key_nickname=None, + ca_cert_files=options.ca_cert_files, + host_name=host_name) + http_pkcs12_info = (http_pkcs12_file.name, http_pin) + + if options.dirsrv_cert_files: if options.dirsrv_pin is None: - options.dirsrv_pin = installutils.read_password( - "Enter %s unlock" % options.dirsrv_pkcs12, + options.dirsrv_pin = read_password( + "Enter Directory Server private key unlock", confirm=False, validate=False) if options.dirsrv_pin is None: - sys.exit("%s unlock password required" % options.dirsrv_pkcs12) - dirsrv_pkcs12_info = (options.dirsrv_pkcs12, options.dirsrv_pin) - dirsrv_ca_cert = installutils.check_pkcs12( - dirsrv_pkcs12_info, ca_file, host_name) - - if options.pkinit_pkcs12: + sys.exit( + "Directory Server private key unlock password required") + dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12( + cert_files=options.dirsrv_cert_files, + key_password=options.dirsrv_pin, + key_nickname=None, + ca_cert_files=options.ca_cert_files, + host_name=host_name) + dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) + + if options.pkinit_cert_files: if options.pkinit_pin is None: - options.pkinit_pin = installutils.read_password( - "Enter %s unlock" % options.pkinit_pkcs12, + options.pkinit_pin = read_password( + "Enter Kerberos KDC private key unlock", confirm=False, validate=False) if options.pkinit_pin is None: - sys.exit("%s unlock password required" % options.pkinit_pkcs12) - pkinit_pkcs12_info = (options.pkinit_pkcs12, options.pkinit_pin) - - if (options.http_pkcs12 and options.dirsrv_pkcs12 and + sys.exit( + "Kerberos KDC private key unlock password required") + pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12( + cert_files=options.pkinit_cert_files, + key_password=options.pkinit_pin, + key_nickname=None, + ca_cert_files=options.ca_cert_files, + host_name=host_name) + pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin) + + if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): - sys.exit("%s and %s are not signed by the same CA certificate" % - (options.http_pkcs12, options.dirsrv_pkcs12)) + sys.exit("Apache Server SSL certificate and Directory Server SSL " + "certificate are not signed by the same CA certificate") if not options.dm_password: dm_password = read_dm_password() @@ -1064,14 +1108,13 @@ def main(): if not ntp.is_configured(): ntp.create_instance() - if options.dirsrv_pkcs12: + if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore) ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, - hbac_allow=not options.hbac_allow, - ca_file=ca_file) + hbac_allow=not options.hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore) ds.create_instance(realm_name, host_name, domain_name, @@ -1137,7 +1180,7 @@ def main(): ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) - if options.pkinit_pkcs12: + if options.pkinit_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, @@ -1163,11 +1206,11 @@ def main(): # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) - if options.http_pkcs12: + if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject, - auto_redirect=options.ui_redirect, ca_file=ca_file) + auto_redirect=options.ui_redirect) else: http.create_instance( realm_name, host_name, domain_name, dm_password, diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index 8e1e60a25..fc8bf8332 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -35,23 +35,23 @@ Once the file has been created it will be named replica\-hostname. This file can A replica should only be installed on the same or higher version of IPA on the remote system. .SH "OPTIONS" .TP -\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Directory Server SSL Certificate and Private Key +\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR +File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-http_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Apache Server SSL Certificate and Private Key +\fB\-\-http\-cert\-file\fR=\fIFILE\fR +File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Kerberos KDC Certificate and Private Key +\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR +File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR -The password of the Directory Server PKCS#12 file +\fB\-\-dirsrv\-pin\fR=\fIPIN\fR +The password to unlock the Directory Server private key .TP -\fB\-\-http_pin\fR=\fIHTTP_PIN\fR -The password of the Apache Server PKCS#12 file +\fB\-\-http\-pin\fR=\fIPIN\fR +The password to unlock the Apache Server private key .TP -\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR -The password of the Kerberos KDC PKCS#12 file +\fB\-\-pkinit\-pin\fR=\fIPIN\fR +The password to unlock the Kerberos KDC private key .TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 index f428402da..a5cb4bb7f 100644 --- a/install/tools/man/ipa-server-certinstall.1 +++ b/install/tools/man/ipa-server-certinstall.1 @@ -20,9 +20,9 @@ .SH "NAME" ipa\-server\-certinstall \- Install new SSL server certificates .SH "SYNOPSIS" -ipa\-server\-certinstall [\fIOPTION\fR]... PKCS12_FILE +ipa\-server\-certinstall [\fIOPTION\fR]... FILE... .SH "DESCRIPTION" -Replace the current SSL Directory and/or Apache server certificate(s) with the certificate in the PKCS#12 file. +Replace the current SSL Directory and/or Apache server certificate(s) with the certificate in the specified files. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs. @@ -38,7 +38,7 @@ Install the certificate on the Directory Server Install the certificate in the Apache Web Server .TP \fB\-\-pin\fR=\fIPIN\fR -The password of the PKCS#12 file +The password to unlock the private key .TP \fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR Directory Manager password diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 92d9ec85a..0bd59687d 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,26 +93,26 @@ File containing the IPA CA certificate and the external CA certificate chain. Th \fB\-\-no\-pkinit\fR Disables pkinit setup steps .TP -\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Directory Server SSL Certificate +\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR +File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-http_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Apache Server SSL Certificate +\fB\-\-http\-cert\-file\fR=\fIFILE\fR +File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Kerberos KDC SSL certificate +\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR +File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR -The password of the Directory Server PKCS#12 file +\fB\-\-dirsrv\-pin\fR=\fIPIN\fR +The password to unlock the Directory Server private key .TP -\fB\-\-http_pin\fR=\fIHTTP_PIN\fR -The password of the Apache Server PKCS#12 file +\fB\-\-http\-pin\fR=\fIPIN\fR +The password to unlock the Apache Server private key .TP -\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR -The password of the Kerberos KDC PKCS#12 file +\fB\-\-pkinit\-pin\fR=\fIPIN\fR +The password to unlock the Kerberos KDC private key .TP -\fB\-\-root\-ca\-file\fR=\fIFILE\fR -PEM file containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC SSL certificates. Use this option if the CA certificate is not present in the PKCS#12 files. +\fB\-\-ca\-cert\-file\fR=\fIFILE\fR +File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files. .TP \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=REALM.NAME) |