summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-04-14 23:12:17 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-04-15 20:03:40 +0200
commit88e963d55bdf4cb9799ef665a72f8855fc00c4da (patch)
tree63226d009c6e6f9b07468058bedb956fac1d7387
parentd3bbfe07b1cb2d65a7af6530ea01374b20a761e4 (diff)
downloadpki-88e963d55bdf4cb9799ef665a72f8855fc00c4da.zip
pki-88e963d55bdf4cb9799ef665a72f8855fc00c4da.tar.gz
pki-88e963d55bdf4cb9799ef665a72f8855fc00c4da.tar.xz
Moved self-signed SSL server certificate creation.
To avoid possible conflicts imported external certificates, the self-signed SSL server certificate creation has been moved after the external certificates have been imported into the NSS database and before the server is started. https://fedorahosted.org/pki/ticket/1736
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py55
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/security_databases.py41
2 files changed, 55 insertions, 41 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index cc8c7f9..5f77ac5 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -236,6 +236,61 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
if external and step_one:
return self.rv
+ if len(deployer.instance.tomcat_instance_subsystems()) < 2:
+
+ deployer.password.create_password_conf(
+ deployer.mdict['pki_shared_pfile'],
+ deployer.mdict['pki_pin'], pin_sans_token=True)
+
+ # only create a self signed cert for a new instance
+ #
+ # NOTE: ALWAYS create the temporary sslserver certificate
+ # in the software DB regardless of whether the
+ # instance will utilize 'softokn' or an HSM
+ #
+ rv = deployer.certutil.verify_certificate_exists(
+ deployer.mdict['pki_database_path'],
+ deployer.mdict['pki_cert_database'],
+ deployer.mdict['pki_key_database'],
+ deployer.mdict['pki_secmod_database'],
+ deployer.mdict['pki_self_signed_token'],
+ deployer.mdict['pki_self_signed_nickname'],
+ password_file=deployer.mdict['pki_shared_pfile'])
+
+ if not rv:
+
+ # note: in the function below, certutil is used to generate
+ # the request for the self signed cert. The keys are generated
+ # by NSS, which does not actually use the data in the noise
+ # file, so it does not matter what is in this file. Certutil
+ # still requires it though, otherwise it waits for keyboard
+ # input
+ with open(
+ deployer.mdict['pki_self_signed_noise_file'], 'w') as f:
+ f.write("not_so_random_data")
+
+ deployer.certutil.generate_self_signed_certificate(
+ deployer.mdict['pki_database_path'],
+ deployer.mdict['pki_cert_database'],
+ deployer.mdict['pki_key_database'],
+ deployer.mdict['pki_secmod_database'],
+ deployer.mdict['pki_self_signed_token'],
+ deployer.mdict['pki_self_signed_nickname'],
+ deployer.mdict['pki_self_signed_subject'],
+ deployer.mdict['pki_self_signed_serial_number'],
+ deployer.mdict['pki_self_signed_validity_period'],
+ deployer.mdict['pki_self_signed_issuer_name'],
+ deployer.mdict['pki_self_signed_trustargs'],
+ deployer.mdict['pki_self_signed_noise_file'],
+ password_file=deployer.mdict['pki_shared_pfile'])
+
+ # Delete the temporary 'noise' file
+ deployer.file.delete(
+ deployer.mdict['pki_self_signed_noise_file'])
+
+ # Always delete the temporary 'pfile'
+ deployer.file.delete(deployer.mdict['pki_shared_pfile'])
+
# Start/Restart this Tomcat PKI Process
# Optionally prepare to enable a java debugger
# (e. g. - 'eclipse'):
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index a567b7c..ed8c0ce 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -128,47 +128,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
no_user_certs=True)
if len(deployer.instance.tomcat_instance_subsystems()) < 2:
- # only create a self signed cert for a new instance
- #
- # NOTE: ALWAYS create the temporary sslserver certificate
- # in the software DB regardless of whether the
- # instance will utilize 'softokn' or an HSM
- #
- rv = deployer.certutil.verify_certificate_exists(
- deployer.mdict['pki_database_path'],
- deployer.mdict['pki_cert_database'],
- deployer.mdict['pki_key_database'],
- deployer.mdict['pki_secmod_database'],
- deployer.mdict['pki_self_signed_token'],
- deployer.mdict['pki_self_signed_nickname'],
- password_file=deployer.mdict['pki_shared_pfile'])
- if not rv:
- # note: in the function below, certutil is used to generate
- # the request for the self signed cert. The keys are generated
- # by NSS, which does not actually use the data in the noise
- # file, so it does not matter what is in this file. Certutil
- # still requires it though, otherwise it waits for keyboard
- # input
- with open(
- deployer.mdict['pki_self_signed_noise_file'], 'w') as f:
- f.write("not_so_random_data")
- deployer.certutil.generate_self_signed_certificate(
- deployer.mdict['pki_database_path'],
- deployer.mdict['pki_cert_database'],
- deployer.mdict['pki_key_database'],
- deployer.mdict['pki_secmod_database'],
- deployer.mdict['pki_self_signed_token'],
- deployer.mdict['pki_self_signed_nickname'],
- deployer.mdict['pki_self_signed_subject'],
- deployer.mdict['pki_self_signed_serial_number'],
- deployer.mdict['pki_self_signed_validity_period'],
- deployer.mdict['pki_self_signed_issuer_name'],
- deployer.mdict['pki_self_signed_trustargs'],
- deployer.mdict['pki_self_signed_noise_file'],
- password_file=deployer.mdict['pki_shared_pfile'])
- # Delete the temporary 'noise' file
- deployer.file.delete(
- deployer.mdict['pki_self_signed_noise_file'])
# Check to see if a secure connection is being used for the DS
if config.str2bool(deployer.mdict['pki_ds_secure_connection']):