diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-04-14 23:21:57 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-15 20:03:25 +0200 |
commit | e3449617d90f5f73afdb568cc2f43769e5ea760b (patch) | |
tree | f29e48fef2c7053a39dbeb0cc9f8eeed9daa857a | |
parent | 8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39 (diff) | |
download | pki-e3449617d90f5f73afdb568cc2f43769e5ea760b.tar.gz pki-e3449617d90f5f73afdb568cc2f43769e5ea760b.tar.xz pki-e3449617d90f5f73afdb568cc2f43769e5ea760b.zip |
Added PKCS #12 deployment properties.
New PKCS #12 deployment properties have been added as aliases
for some external CA properties to allow them to be used in
more general cases:
- pki_pkcs12_path -> pki_external_pkcs12_path
- pki_pkcs12_password -> pki_external_pkcs12_password
https://fedorahosted.org/pki/ticket/1736
-rw-r--r-- | base/server/etc/default.cfg | 7 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 6 |
2 files changed, 8 insertions, 5 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 21c792472..924df9ddc 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -23,6 +23,7 @@ sensitive_parameters= pki_clone_pkcs12_password pki_ds_password pki_external_pkcs12_password + pki_pkcs12_password pki_one_time_pin pki_pin pki_replication_password @@ -134,6 +135,8 @@ pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal pki_token_password= pki_user=pkiuser +pki_pkcs12_path= +pki_pkcs12_password= # Paths: # These are used in the processing of pkispawn and are not supposed @@ -378,8 +381,8 @@ pki_external_step_two=False pki_external_ca_cert_chain_path= pki_external_ca_cert_chain_nickname=caSigningCert External CA pki_external_ca_cert_path= -pki_external_pkcs12_path= -pki_external_pkcs12_password= +pki_external_pkcs12_path=%(pki_pkcs12_path)s +pki_external_pkcs12_password=%(pki_pkcs12_password)s pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index f93a24723..b5d743894 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -158,8 +158,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.config['ca.signing.certreq'] = signing_csr # If specified, import externally-signed CA cert into NSS database. - # Note: CA cert must be imported before the cert chain to ensure that - # the CA cert is imported with the correct nickname. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: @@ -168,13 +166,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): cert_file=signing_cert_file, trust_attributes='CT,C,C') - # If specified, import CA cert and key from PKCS #12 file into NSS database. + # If specified, import certs and keys from PKCS #12 file into NSS database. pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] if pkcs12_file: pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) # If specified, import cert chain into NSS database. + # Note: Cert chain must be imported after the system certs to ensure that + # the system certs are imported with the correct nicknames. external_ca_cert_chain_nickname = \ deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] |