Added mechanism to import system certs via PKCS #12 file.

The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742

1 files changed, 3 insertions, 0 deletions

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index aefe0f45c..98fbb2fe7 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -27,6 +27,7 @@ sensitive_parameters=
     pki_pin
     pki_replication_password
     pki_security_domain_password
+    pki_server_pkcs12_password
     pki_token_password
 
 # The spawn_scriplets contains a list of scriplets to be executed by pkispawn.
@@ -108,6 +109,8 @@ pki_security_domain_https_port=8443
 pki_security_domain_name=%(pki_dns_domainname)s Security Domain
 pki_security_domain_password=
 pki_security_domain_user=caadmin
+pki_server_pkcs12_path=
+pki_server_pkcs12_password=
 #for supporting server cert SAN injection
 pki_san_inject=False
 pki_san_for_server_cert=