diff options
Diffstat (limited to 'install/tools/ipa-server-certinstall')
-rw-r--r-- | install/tools/ipa-server-certinstall | 157 |
1 files changed, 157 insertions, 0 deletions
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall new file mode 100644 index 00000000..a0d11856 --- /dev/null +++ b/install/tools/ipa-server-certinstall @@ -0,0 +1,157 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +import os +import pwd +import tempfile + +import traceback + +import krbV, ldap, getpass + +from ipa.ipautil import user_input +from ipaserver import certs, dsinstance, httpinstance, ipaldap, installutils + +def get_realm_name(): + c = krbV.default_context() + return c.default_realm + +def parse_options(): + from optparse import OptionParser + parser = OptionParser() + + parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true", + default=False, help="install certificate for the directory server") + parser.add_option("-w", "--http", dest="http", action="store_true", + default=False, help="install certificate for the http server") + parser.add_option("--dirsrv_pin", dest="dirsrv_pin", + help="The password of the Directory Server PKCS#12 file") + parser.add_option("--http_pin", dest="http_pin", + help="The password of the Apache Server PKCS#12 file") + + options, args = parser.parse_args() + + if not options.dirsrv and not options.http: + parser.error("you must specify dirsrv and/or http") + if ((options.dirsrv and not options.dirsrv_pin) or + (options.http and not options.http_pin)): + parser.error("you must provide the password for the PKCS#12 file") + + if len(args) != 1: + parser.error("you must provide a pkcs12 filename") + + return options, args[0] + +def set_ds_cert_name(cert_name, dm_password): + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", dm_password) + + mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)] + + conn.modify_s("cn=RSA,cn=encryption,cn=config", mod) + + conn.unbind() + +def choose_server_cert(server_certs): + print "Please select the certificate to use:" + num = 1 + for cert in server_certs: + print "%d. %s" % (num, cert[0]) + num += 1 + + while 1: + num = user_input("Certificate number", 1) + print "" + if num < 1 or num > len(server_certs): + print "number out of range" + else: + break + + return server_certs[num - 1] + +def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): + cdb = certs.CertDB(dirname) + cdb.create_passwd_file(db_password) + cdb.create_certdbs() + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, pkcs12_passwd) + os.close(pw_fd) + + try: + try: + cdb.import_pkcs12(pkcs12_fname, pw_name) + except RuntimeError, e: + print str(e) + sys.exit(1) + finally: + os.remove(pw_name) + + server_certs = cdb.find_server_certs() + if len(server_certs) == 0: + print "could not find a suitable server cert in import" + sys.exit(1) + elif len(server_certs) == 1: + server_cert = server_certs[0] + else: + server_cert = choose_server_cert(server_certs) + + cdb.trust_root_cert(server_cert[0]) + + return server_cert + +def main(): + options, pkcs12_fname = parse_options() + + try: + if options.dirsrv: + dm_password = getpass.getpass("Directory Manager password: ") + realm = get_realm_name() + dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm)) + fd = open(dirname + "/pwdfile.txt") + passwd = fd.read() + fd.close() + + server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd) + set_ds_cert_name(server_cert[0], dm_password) + + if options.http: + dirname = httpinstance.NSS_DIR + server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") + installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0]) + + # Fix the database permissions + os.chmod(dirname + "/cert8.db", 0640) + os.chmod(dirname + "/key3.db", 0640) + os.chmod(dirname + "/secmod.db", 0640) + + pent = pwd.getpwnam("apache") + os.chown(dirname + "/cert8.db", 0, pent.pw_gid ) + os.chown(dirname + "/key3.db", 0, pent.pw_gid ) + os.chown(dirname + "/secmod.db", 0, pent.pw_gid ) + + except Exception, e: + print "an unexpected error occurred: %s" % str(e) + traceback.print_exc() + return 1 + + return 0 + +sys.exit(main()) |