diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-03-17 15:23:34 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-02 07:48:58 +0200 |
| commit | 9eba5f33f04348ee4b243d3fc0d095268f824115 (patch) | |
| tree | 67dddaf27686f295f5ae478dccab9c8ad2b7cb15 /base/server/python/pki/server/deployment/scriptlets/security_databases.py | |
| parent | 9bd9548d5c1718ad8159f2134f170649c092a581 (diff) | |
| download | pki-9eba5f33f04348ee4b243d3fc0d095268f824115.tar.gz pki-9eba5f33f04348ee4b243d3fc0d095268f824115.tar.xz pki-9eba5f33f04348ee4b243d3fc0d095268f824115.zip | |
Added support for cloning 3rd-party CA certificates.
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/security_databases.py')
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 0c3d606de..00df1eb33 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -109,6 +109,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if external_certs_path is not None: self.update_external_certs_conf(external_certs_path, deployer) + # import CA certificates from PKCS #12 file for cloning + pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path'] + + if pki_clone_pkcs12_path: + + pki_clone_pkcs12_password = deployer.mdict[ + 'pki_clone_pkcs12_password'] + if not pki_clone_pkcs12_password: + raise Exception('Missing pki_clone_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( + directory=deployer.mdict['pki_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + nssdb.import_pkcs12( + pkcs12_file=pki_clone_pkcs12_path, + pkcs12_password=pki_clone_pkcs12_password, + no_user_certs=True) + if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance # |