diff options
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/certs.py | 12 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 20 |
2 files changed, 27 insertions, 5 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 3fa65207c..bd5c7bf9c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -865,6 +865,13 @@ class CertDB(object): "-k", self.passwd_fname, "-w", pkcs12_pwd_fname]) + def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname, + nickname, pem_fname): + ipautil.run(["/usr/bin/openssl", "pkcs12", + "-export", "-name", nickname, + "-in", pem_fname, "-out", pkcs12_fname, + "-passout", "file:" + pkcs12_pwd_fname]) + def create_self_signed(self, passwd=None): self.create_noise_file() self.create_passwd_file(passwd) @@ -1017,6 +1024,11 @@ class CertDB(object): os.unlink(key_fname) os.unlink(cert_fname) + def install_pem_from_p12(self, p12_fname, p12_pwd_fname, pem_fname): + ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + p12_pwd_fname]) + def backup_files(self): self.fstore.backup_file(self.noise_fname) self.fstore.backup_file(self.passwd_fname) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index f6650d80c..7454739e1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -205,7 +205,14 @@ class KrbInstance(service.Service): self.kpasswd.create_instance() - def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename): + def create_replica(self, ds_user, realm_name, host_name, + domain_name, admin_password, + ldap_passwd_filename, kpasswd_filename, + setup_pkinit=False, pkcs12_info=None, + self_signed_ca=False, subject_base=None): + self.pkcs12_info = pkcs12_info + self.self_signed_ca = self_signed_ca + self.subject_base = subject_base self.__copy_ldap_passwd(ldap_passwd_filename) self.__copy_kpasswd_keytab(kpasswd_filename) @@ -217,6 +224,8 @@ class KrbInstance(service.Service): self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) + if setup_pkinit: + self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit) self.__common_post_setup() @@ -506,16 +515,17 @@ class KrbInstance(service.Service): ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base) - if self.pkcs12_info: - - raise RuntimeError("Using PKCS12 Certs not supported yet\n") + if self.pkcs12_info: + ca_db.install_pem_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + "/var/kerberos/krb5kdc/kdc.pem") else: if self.self_signed_ca: ca_db.create_kdc_cert("KDC-Cert", self.fqdn, "/var/kerberos/krb5kdc") else: - raise RuntimeError("Using PKCS12 Certs not supported yet\n") + raise RuntimeError("PKI not supported yet\n") # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context |