diff options
author | Rob Crittenden <rcrit@ipa.greyoak.com> | 2008-07-11 11:34:29 -0400 |
---|---|---|
committer | Rob Crittenden <rcrit@ipa.greyoak.com> | 2008-07-14 09:06:52 -0400 |
commit | 6980b073035cdd43b30b58aba3ce7f84f16a14ad (patch) | |
tree | 2e291b420d42ad02df9221fb4036bb22698463df /ipa-server/ipa-install/ipa-server-certinstall | |
parent | b95c05f5c6a9977e6bb02d091a601efb3bcf360e (diff) | |
download | freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.tar.gz freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.tar.xz freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.zip |
Rework the way SSL certificates are imported from PKCS#12 files.
Add the ability to provide PKCS#12 files during initial installation
Add the ability to provide PKCS#12 files when preparing a replica
Correct some issues with ipa-server-certinstall
452402
Diffstat (limited to 'ipa-server/ipa-install/ipa-server-certinstall')
-rw-r--r-- | ipa-server/ipa-install/ipa-server-certinstall | 61 |
1 files changed, 30 insertions, 31 deletions
diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-install/ipa-server-certinstall index 89f89a58..835af0aa 100644 --- a/ipa-server/ipa-install/ipa-server-certinstall +++ b/ipa-server/ipa-install/ipa-server-certinstall @@ -21,6 +21,7 @@ import sys import os import pwd +import tempfile import traceback @@ -40,12 +41,18 @@ def parse_options(): default=False, help="install certificate for the directory server") parser.add_option("-w", "--http", dest="http", action="store_true", default=False, help="install certificate for the http server") - + parser.add_option("--dirsrv_pin", dest="dirsrv_pin", + help="The password of the Directory Server PKCS#12 file") + parser.add_option("--http_pin", dest="http_pin", + help="The password of the Apache Server PKCS#12 file") options, args = parser.parse_args() if not options.dirsrv and not options.http: parser.error("you must specify dirsrv and/or http") + if ((options.dirsrv and not options.dirsrv_pin) or + (options.http and not options.http_pin)): + parser.error("you must provide the password for the PKCS#12 file") if len(args) != 1: parser.error("you must provide a pkcs12 filename") @@ -62,30 +69,13 @@ def set_ds_cert_name(cert_name, dm_password): conn.unbind() -def set_http_cert_name(cert_name): - # find the existing cert name - fd = open(httpinstance.NSS_CONF) - nick_name = None - file = [] - for line in fd: - if "NSSNickname" in line: - file.append('NSSNickname "%s"\n' % cert_name) - else: - file.append(line) - fd.close() - - fd = open(httpinstance.NSS_CONF, "w") - fd.write("".join(file)) - fd.close() - - def choose_server_cert(server_certs): print "Please select the certificate to use:" num = 1 for cert in server_certs: print "%d. %s" % (num, cert[0]) num += 1 - + cert_num = 0 while 1: cert_input = raw_input("Certificate number [1]: ") @@ -104,17 +94,24 @@ def choose_server_cert(server_certs): cert_num = num - 1 break return server_certs[cert_num] - -def import_cert(dirname, pkcs12_fname): + +def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): cdb = certs.CertDB(dirname) - cdb.create_passwd_file(False) + cdb.create_passwd_file(db_password) cdb.create_certdbs() + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, pkcs12_passwd) + os.close(pw_fd) + try: - cdb.import_pkcs12(pkcs12_fname) - except RuntimeError, e: - print str(e) - sys.exit(1) + try: + cdb.import_pkcs12(pkcs12_fname, pw_name) + except RuntimeError, e: + print str(e) + sys.exit(1) + finally: + os.remove(pw_name) server_certs = cdb.find_server_certs() if len(server_certs) == 0: @@ -137,14 +134,17 @@ def main(): dm_password = getpass.getpass("Directory Manager password: ") realm = get_realm_name() dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm)) - server_cert = import_cert(dirname, pkcs12_fname) + fd = open(dirname + "/pwdfile.txt") + passwd = fd.read() + fd.close() + + server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd) set_ds_cert_name(server_cert[0], dm_password) if options.http: dirname = httpinstance.NSS_DIR - server_cert = import_cert(dirname, pkcs12_fname) - print server_cert - set_http_cert_name(server_cert[0]) + server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") + installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0]) # Fix the database permissions os.chmod(dirname + "/cert8.db", 0640) @@ -163,5 +163,4 @@ def main(): return 0 - sys.exit(main()) |