diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-02-19 15:09:49 +0100 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-02-25 15:51:06 +0100 |
commit | b48889a2ef41fd45ca69c3926c36ef075777447c (patch) | |
tree | a916c780993fe9905adfd34c3666fd57fcc8023e /base/server/python/pki/server/cli/instance.py | |
parent | b74bf9b82102715e08fa3fd3bd5ce9462312aded (diff) | |
download | pki-b48889a2ef41fd45ca69c3926c36ef075777447c.tar.gz pki-b48889a2ef41fd45ca69c3926c36ef075777447c.tar.xz pki-b48889a2ef41fd45ca69c3926c36ef075777447c.zip |
Added pki-server commands to export system certificates.
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
Diffstat (limited to 'base/server/python/pki/server/cli/instance.py')
-rw-r--r-- | base/server/python/pki/server/cli/instance.py | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 5e70e5f28..b5e6a5e41 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -21,6 +21,7 @@ from __future__ import absolute_import from __future__ import print_function import getopt +import getpass import os import sys @@ -35,6 +36,7 @@ class InstanceCLI(pki.cli.CLI): super(InstanceCLI, self).__init__('instance', 'Instance management commands') + self.add_module(InstanceCertCLI()) self.add_module(InstanceFindCLI()) self.add_module(InstanceShowCLI()) self.add_module(InstanceStartCLI()) @@ -49,6 +51,98 @@ class InstanceCLI(pki.cli.CLI): print(' Active: %s' % instance.is_active()) +class InstanceCertCLI(pki.cli.CLI): + + def __init__(self): + super(InstanceCertCLI, self).__init__( + 'cert', 'Instance certificate management commands') + + self.add_module(InstanceCertExportCLI()) + + +class InstanceCertExportCLI(pki.cli.CLI): + + def __init__(self): + super(InstanceCertExportCLI, self).__init__( + 'export', 'Export subsystem certificate') + + def print_help(self): # flake8: noqa + print('Usage: pki-server instance-cert-export [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --pkcs12-file <path> Output file to store the exported certificate and key in PKCS #12 format.') + print(' --pkcs12-password <password> Password for the PKCS #12 file.') + print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + pkcs12_file = None + pkcs12_password = None + pkcs12_password_file = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--pkcs12-file': + pkcs12_file = a + + elif o == '--pkcs12-password': + pkcs12_password = a + + elif o == '--pkcs12-password-file': + pkcs12_password_file = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.print_help() + sys.exit(1) + + if not pkcs12_file: + print('ERROR: missing output file') + self.print_help() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + if not pkcs12_password and not pkcs12_password_file: + pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') + + nssdb = instance.open_nssdb() + try: + nssdb.export_pkcs12( + pkcs12_file=pkcs12_file, + pkcs12_password=pkcs12_password, + pkcs12_password_file=pkcs12_password_file) + finally: + nssdb.close() + + self.print_message('Exported certificates') + + class InstanceFindCLI(pki.cli.CLI): def __init__(self): |