Added pki-server commands to export system certificates.

Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server <subsystem>-clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742
author: Endi S. Dewata <edewata@redhat.com> 2016-02-19 15:09:49 +0100
committer: Endi S. Dewata <edewata@redhat.com> 2016-02-25 15:51:06 +0100
commit: b48889a2ef41fd45ca69c3926c36ef075777447c (patch)
tree: a916c780993fe9905adfd34c3666fd57fcc8023e /base/server/python/pki/server/cli/instance.py
parent: b74bf9b82102715e08fa3fd3bd5ce9462312aded (diff)
download: pki-b48889a2ef41fd45ca69c3926c36ef075777447c.tar.gz
pki-b48889a2ef41fd45ca69c3926c36ef075777447c.tar.xz
pki-b48889a2ef41fd45ca69c3926c36ef075777447c.zip
1 files changed, 94 insertions, 0 deletions
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 5e70e5f28..b5e6a5e41 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -21,6 +21,7 @@
 from __future__ import absolute_import
 from __future__ import print_function
 import getopt
+import getpass
 import os
 import sys
 
@@ -35,6 +36,7 @@ class InstanceCLI(pki.cli.CLI):
         super(InstanceCLI, self).__init__('instance',
                                           'Instance management commands')
 
+        self.add_module(InstanceCertCLI())
         self.add_module(InstanceFindCLI())
         self.add_module(InstanceShowCLI())
         self.add_module(InstanceStartCLI())
@@ -49,6 +51,98 @@ class InstanceCLI(pki.cli.CLI):
         print('  Active: %s' % instance.is_active())
 
 
+class InstanceCertCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super(InstanceCertCLI, self).__init__(
+            'cert', 'Instance certificate management commands')
+
+        self.add_module(InstanceCertExportCLI())
+
+
+class InstanceCertExportCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super(InstanceCertExportCLI, self).__init__(
+            'export', 'Export subsystem certificate')
+
+    def print_help(self):  # flake8: noqa
+        print('Usage: pki-server instance-cert-export [OPTIONS]')
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('      --pkcs12-file <path>           Output file to store the exported certificate and key in PKCS #12 format.')
+        print('      --pkcs12-password <password>   Password for the PKCS #12 file.')
+        print('      --pkcs12-password-file <path>  Input file containing the password for the PKCS #12 file.')
+        print('  -v, --verbose                      Run in verbose mode.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+
+        try:
+            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                'instance=',
+                'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+        pkcs12_file = None
+        pkcs12_password = None
+        pkcs12_password_file = None
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o == '--pkcs12-file':
+                pkcs12_file = a
+
+            elif o == '--pkcs12-password':
+                pkcs12_password = a
+
+            elif o == '--pkcs12-password-file':
+                pkcs12_password_file = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        if not pkcs12_file:
+            print('ERROR: missing output file')
+            self.print_help()
+            sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        instance.load()
+
+        if not pkcs12_password and not pkcs12_password_file:
+            pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ')
+
+        nssdb = instance.open_nssdb()
+        try:
+            nssdb.export_pkcs12(
+                pkcs12_file=pkcs12_file,
+                pkcs12_password=pkcs12_password,
+                pkcs12_password_file=pkcs12_password_file)
+        finally:
+            nssdb.close()
+
+        self.print_message('Exported certificates')
+
+
 class InstanceFindCLI(pki.cli.CLI):
 
     def __init__(self):
author	Endi S. Dewata <edewata@redhat.com>	2016-02-19 15:09:49 +0100
committer	Endi S. Dewata <edewata@redhat.com>	2016-02-25 15:51:06 +0100
commit	b48889a2ef41fd45ca69c3926c36ef075777447c (patch)
tree	a916c780993fe9905adfd34c3666fd57fcc8023e /base/server/python/pki/server/cli/instance.py
parent	b74bf9b82102715e08fa3fd3bd5ce9462312aded (diff)
download	pki-b48889a2ef41fd45ca69c3926c36ef075777447c.tar.gz pki-b48889a2ef41fd45ca69c3926c36ef075777447c.tar.xz pki-b48889a2ef41fd45ca69c3926c36ef075777447c.zip