2 files changed, 27 insertions, 5 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 3fa65207c..bd5c7bf9c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -865,6 +865,13 @@ class CertDB(object):
                      "-k", self.passwd_fname,
                      "-w", pkcs12_pwd_fname])
 
+    def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname,
+                       nickname, pem_fname):
+        ipautil.run(["/usr/bin/openssl", "pkcs12",
+                     "-export", "-name", nickname,
+                     "-in", pem_fname, "-out", pkcs12_fname,
+                     "-passout", "file:" + pkcs12_pwd_fname])
+
     def create_self_signed(self, passwd=None):
         self.create_noise_file()
         self.create_passwd_file(passwd)
@@ -1017,6 +1024,11 @@ class CertDB(object):
         os.unlink(key_fname)
         os.unlink(cert_fname)
 
+    def install_pem_from_p12(self, p12_fname, p12_pwd_fname, pem_fname):
+        ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes",
+                     "-in", p12_fname, "-out", pem_fname,
+                     "-passin", "file:" + p12_pwd_fname])
+
     def backup_files(self):
         self.fstore.backup_file(self.noise_fname)
         self.fstore.backup_file(self.passwd_fname)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index f6650d80c..7454739e1 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -205,7 +205,14 @@ class KrbInstance(service.Service):
 
         self.kpasswd.create_instance()
 
-    def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename):
+    def create_replica(self, ds_user, realm_name, host_name,
+                       domain_name, admin_password,
+                       ldap_passwd_filename, kpasswd_filename,
+                       setup_pkinit=False, pkcs12_info=None,
+                       self_signed_ca=False, subject_base=None):
+        self.pkcs12_info = pkcs12_info
+        self.self_signed_ca = self_signed_ca
+        self.subject_base = subject_base
         self.__copy_ldap_passwd(ldap_passwd_filename)
         self.__copy_kpasswd_keytab(kpasswd_filename)
 
@@ -217,6 +224,8 @@ class KrbInstance(service.Service):
         self.step("creating a keytab for the directory", self.__create_ds_keytab)
         self.step("creating a keytab for the machine", self.__create_host_keytab)
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
+        if setup_pkinit:
+            self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
 
         self.__common_post_setup()
 
@@ -506,16 +515,17 @@ class KrbInstance(service.Service):
             ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
                                  host_name=self.fqdn,
                                  subject_base=self.subject_base)
-        if self.pkcs12_info:
-
-            raise RuntimeError("Using PKCS12 Certs not supported yet\n")
 
+        if self.pkcs12_info:
+            ca_db.install_pem_from_p12(self.pkcs12_info[0],
+                                       self.pkcs12_info[1],
+                                       "/var/kerberos/krb5kdc/kdc.pem")
         else:
             if self.self_signed_ca:
                 ca_db.create_kdc_cert("KDC-Cert", self.fqdn,
                                       "/var/kerberos/krb5kdc")
             else:
-                raise RuntimeError("Using PKCS12 Certs not supported yet\n")
+                raise RuntimeError("PKI not supported yet\n")
 
         # Finally copy the cacert in the krb directory so we don't
         # have any selinux issues with the file context