Added mechanism to import existing CA certificate.

The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
author: Endi S. Dewata <edewata@redhat.com> 2015-11-07 00:09:19 +0100
committer: Matthew Harmsen <mharmsen@pki.usersys.redhat.com> 2016-02-22 20:19:30 -0700
commit: bc0de424aa8c56d2278e41b7786ca202b7e64cc3 (patch)
tree: 35800e3d43bcdb58e7c561ab0a058674475aa7c7 /base/server/cms/src/org
parent: 4a81377c26e68c48b78c90f2a61970373dd1a6fa (diff)
download: pki-bc0de424aa8c56d2278e41b7786ca202b7e64cc3.tar.gz
pki-bc0de424aa8c56d2278e41b7786ca202b7e64cc3.tar.xz
pki-bc0de424aa8c56d2278e41b7786ca202b7e64cc3.zip
1 files changed, 34 insertions, 4 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index a0138681a..697196a6e 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -20,6 +20,7 @@ package org.dogtagpki.server.rest;
 import java.math.BigInteger;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.util.ArrayList;
@@ -420,7 +421,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 }
                 cs.commit(false);
 
-                if (!request.getStepTwo()) {
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+                    // load key pair for existing and externally-signed signing cert
+                    CMS.debug("SystemConfigService: loading signing cert key pair");
+                    KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname());
+                    ConfigurationUtils.storeKeyPair(cs, tag, pair);
+
+                } else if (!request.getStepTwo()) {
                     if (keytype.equals("ecc")) {
                         String curvename = certData.getKeyCurveName() != null ?
                                 certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
@@ -443,7 +450,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem"));
                 cert.setType(cs.getString("preop.cert." + tag + ".type"));
 
-                if (!request.getStepTwo()) {
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+
+                    // update configuration for existing or externally-signed signing certificate
+                    String certStr = cs.getString("ca." + tag + ".cert" );
+                    cert.setCert(certStr);
+                    CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
+                    ConfigurationUtils.updateConfig(cs, tag);
+
+                } else if (!request.getStepTwo()) {
                     ConfigurationUtils.configCert(null, null, null, cert);
 
                 } else {
@@ -465,8 +480,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     CMS.debug("Step 2:  certStr for '" + tag + "' is " + certStr);
                 }
 
-                // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
-                if (request.getStandAlone()) {
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+
+                    CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert");
+                    ConfigurationUtils.loadCertRequest(cs, tag, cert);
+
+                    CMS.debug("SystemConfigService: Loading cert " + tag);
+                    ConfigurationUtils.loadCert(cs, cert);
+
+                } else if (request.getStandAlone()) {
+                    // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
                     if (!request.getStepTwo()) {
                         // Stand-alone PKI (Step 1)
                         ConfigurationUtils.handleCertRequest(cs, tag, cert);
@@ -489,6 +512,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     ConfigurationUtils.updateCloneConfig();
                 }
 
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+                    CMS.debug("SystemConfigService: External CA has signing cert");
+                    hasSigningCert.setValue(true);
+                    certs.add(cert);
+                    continue;
+                }
+
                 // to determine if we have the signing cert when using an external ca
                 // this will only execute on a ca or stand-alone pki
                 String b64 = certData.getCert();
author	Endi S. Dewata <edewata@redhat.com>	2015-11-07 00:09:19 +0100
committer	Matthew Harmsen <mharmsen@pki.usersys.redhat.com>	2016-02-22 20:19:30 -0700
commit	bc0de424aa8c56d2278e41b7786ca202b7e64cc3 (patch)
tree	35800e3d43bcdb58e7c561ab0a058674475aa7c7 /base/server/cms/src/org
parent	4a81377c26e68c48b78c90f2a61970373dd1a6fa (diff)
download	pki-bc0de424aa8c56d2278e41b7786ca202b7e64cc3.tar.gz pki-bc0de424aa8c56d2278e41b7786ca202b7e64cc3.tar.xz pki-bc0de424aa8c56d2278e41b7786ca202b7e64cc3.zip