diff options
| author | Simo Sorce <ssorce@redhat.com> | 2010-11-03 18:17:36 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-11-18 15:09:57 -0500 |
| commit | 345fc79f039d217316c5d2df5ef59952a8130a96 (patch) | |
| tree | 7ded40f684ab7c31edf9f052b9a34afb8729c2af /ipaserver | |
| parent | 8c616eb10a5f246a9518a8ae20a4144c756d5b61 (diff) | |
| download | freeipa-345fc79f039d217316c5d2df5ef59952a8130a96.tar.gz freeipa-345fc79f039d217316c5d2df5ef59952a8130a96.tar.xz freeipa-345fc79f039d217316c5d2df5ef59952a8130a96.zip | |
pkinit-replica: create certificates for replicas too
altough the kdc certificate name is not tied to the fqdn we create separate
certs for each KDC so that renewal of each of them is done separately.
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/certs.py | 12 | ||||
| -rw-r--r-- | ipaserver/install/krbinstance.py | 20 |
2 files changed, 27 insertions, 5 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 3fa65207c..bd5c7bf9c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -865,6 +865,13 @@ class CertDB(object): "-k", self.passwd_fname, "-w", pkcs12_pwd_fname]) + def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname, + nickname, pem_fname): + ipautil.run(["/usr/bin/openssl", "pkcs12", + "-export", "-name", nickname, + "-in", pem_fname, "-out", pkcs12_fname, + "-passout", "file:" + pkcs12_pwd_fname]) + def create_self_signed(self, passwd=None): self.create_noise_file() self.create_passwd_file(passwd) @@ -1017,6 +1024,11 @@ class CertDB(object): os.unlink(key_fname) os.unlink(cert_fname) + def install_pem_from_p12(self, p12_fname, p12_pwd_fname, pem_fname): + ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + p12_pwd_fname]) + def backup_files(self): self.fstore.backup_file(self.noise_fname) self.fstore.backup_file(self.passwd_fname) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index f6650d80c..7454739e1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -205,7 +205,14 @@ class KrbInstance(service.Service): self.kpasswd.create_instance() - def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename): + def create_replica(self, ds_user, realm_name, host_name, + domain_name, admin_password, + ldap_passwd_filename, kpasswd_filename, + setup_pkinit=False, pkcs12_info=None, + self_signed_ca=False, subject_base=None): + self.pkcs12_info = pkcs12_info + self.self_signed_ca = self_signed_ca + self.subject_base = subject_base self.__copy_ldap_passwd(ldap_passwd_filename) self.__copy_kpasswd_keytab(kpasswd_filename) @@ -217,6 +224,8 @@ class KrbInstance(service.Service): self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) + if setup_pkinit: + self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit) self.__common_post_setup() @@ -506,16 +515,17 @@ class KrbInstance(service.Service): ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base) - if self.pkcs12_info: - - raise RuntimeError("Using PKCS12 Certs not supported yet\n") + if self.pkcs12_info: + ca_db.install_pem_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + "/var/kerberos/krb5kdc/kdc.pem") else: if self.self_signed_ca: ca_db.create_kdc_cert("KDC-Cert", self.fqdn, "/var/kerberos/krb5kdc") else: - raise RuntimeError("Using PKCS12 Certs not supported yet\n") + raise RuntimeError("PKI not supported yet\n") # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context |