Rework the way SSL certificates are imported from PKCS#12 files.

Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
author: Rob Crittenden <rcrit@ipa.greyoak.com> 2008-07-11 11:34:29 -0400
committer: Rob Crittenden <rcrit@ipa.greyoak.com> 2008-07-14 09:06:52 -0400
commit: 6980b073035cdd43b30b58aba3ce7f84f16a14ad (patch)
tree: 2e291b420d42ad02df9221fb4036bb22698463df /ipa-server/ipa-install/ipa-server-certinstall
parent: b95c05f5c6a9977e6bb02d091a601efb3bcf360e (diff)
download: freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.tar.gz
freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.tar.xz
freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.zip
1 files changed, 30 insertions, 31 deletions
diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-install/ipa-server-certinstall
index 89f89a58..835af0aa 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -21,6 +21,7 @@
 import sys
 import os
 import pwd
+import tempfile
 
 import traceback
 
@@ -40,12 +41,18 @@ def parse_options():
                       default=False, help="install certificate for the directory server")
     parser.add_option("-w", "--http", dest="http", action="store_true",
                       default=False, help="install certificate for the http server")
-
+    parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
+                      help="The password of the Directory Server PKCS#12 file")
+    parser.add_option("--http_pin", dest="http_pin",
+                      help="The password of the Apache Server PKCS#12 file")
 
     options, args = parser.parse_args()
 
     if not options.dirsrv and not options.http:
         parser.error("you must specify dirsrv and/or http")
+    if ((options.dirsrv and not options.dirsrv_pin) or
+            (options.http and not options.http_pin)):
+        parser.error("you must provide the password for the PKCS#12 file")
 
     if len(args) != 1:
         parser.error("you must provide a pkcs12 filename")
@@ -62,30 +69,13 @@ def set_ds_cert_name(cert_name, dm_password):
 
     conn.unbind()
 
-def set_http_cert_name(cert_name):
-    # find the existing cert name
-    fd = open(httpinstance.NSS_CONF)
-    nick_name = None
-    file = []
-    for line in fd:
-        if "NSSNickname" in line:
-            file.append('NSSNickname "%s"\n' % cert_name)
-        else:
-            file.append(line)
-    fd.close()
-
-    fd = open(httpinstance.NSS_CONF, "w")
-    fd.write("".join(file))
-    fd.close()
-    
-        
 def choose_server_cert(server_certs):
     print "Please select the certificate to use:"
     num = 1
     for cert in server_certs:
         print "%d. %s" % (num, cert[0])
         num += 1
-        
+
     cert_num = 0
     while 1:
         cert_input = raw_input("Certificate number [1]: ")
@@ -104,17 +94,24 @@ def choose_server_cert(server_certs):
             cert_num = num - 1
             break
     return server_certs[cert_num]
-    
 
-def import_cert(dirname, pkcs12_fname):
+
+def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
     cdb = certs.CertDB(dirname)
-    cdb.create_passwd_file(False)
+    cdb.create_passwd_file(db_password)
     cdb.create_certdbs()
+    [pw_fd, pw_name] = tempfile.mkstemp()
+    os.write(pw_fd, pkcs12_passwd)
+    os.close(pw_fd)
+
     try:
-        cdb.import_pkcs12(pkcs12_fname)
-    except RuntimeError, e:
-        print str(e)
-        sys.exit(1)
+        try:
+            cdb.import_pkcs12(pkcs12_fname, pw_name)
+        except RuntimeError, e:
+            print str(e)
+            sys.exit(1)
+    finally:
+        os.remove(pw_name)
 
     server_certs = cdb.find_server_certs()
     if len(server_certs) == 0:
@@ -137,14 +134,17 @@ def main():
             dm_password = getpass.getpass("Directory Manager password: ")
             realm = get_realm_name()
             dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
-            server_cert = import_cert(dirname, pkcs12_fname)
+            fd = open(dirname + "/pwdfile.txt")
+            passwd = fd.read()
+            fd.close()
+
+            server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
             set_ds_cert_name(server_cert[0], dm_password)
 
         if options.http:
             dirname = httpinstance.NSS_DIR
-            server_cert = import_cert(dirname, pkcs12_fname)
-            print server_cert
-            set_http_cert_name(server_cert[0])
+            server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
+            installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0])
 
             # Fix the database permissions
             os.chmod(dirname + "/cert8.db", 0640)
@@ -163,5 +163,4 @@ def main():
 
     return 0
 
-    
 sys.exit(main())
author	Rob Crittenden <rcrit@ipa.greyoak.com>	2008-07-11 11:34:29 -0400
committer	Rob Crittenden <rcrit@ipa.greyoak.com>	2008-07-14 09:06:52 -0400
commit	6980b073035cdd43b30b58aba3ce7f84f16a14ad (patch)
tree	2e291b420d42ad02df9221fb4036bb22698463df /ipa-server/ipa-install/ipa-server-certinstall
parent	b95c05f5c6a9977e6bb02d091a601efb3bcf360e (diff)
download	freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.tar.gz freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.tar.xz freeipa-6980b073035cdd43b30b58aba3ce7f84f16a14ad.zip