diff options
author | Ade Lee <alee@redhat.com> | 2016-02-27 02:32:14 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2016-03-01 23:55:45 -0500 |
commit | 20a70830961f532e9483baefb64cc92af7cda8b2 (patch) | |
tree | e57c8b209c1d30694ae533a9197fe0938eea2a53 /base/server/python/pki/server/deployment/scriptlets | |
parent | 2d7722f2c9b8230e79d258ad7aa1be1e87804518 (diff) | |
download | pki-20a70830961f532e9483baefb64cc92af7cda8b2.tar.gz pki-20a70830961f532e9483baefb64cc92af7cda8b2.tar.xz pki-20a70830961f532e9483baefb64cc92af7cda8b2.zip |
Handle import and export of external certs
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 2 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 25 |
2 files changed, 25 insertions, 2 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index d06d88f1d..79b66757a 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -162,7 +162,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] if external_ca_cert_chain_file: - cert_chain = nssdb.import_cert_chain( + cert_chain, _nicks = nssdb.import_cert_chain( nickname=external_ca_cert_chain_nickname, cert_chain_file=external_ca_cert_chain_file, trust_attributes='CT,C,C') diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index a723b1da9..027c4c4cf 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -20,7 +20,9 @@ from __future__ import absolute_import +import os import pki.nssdb +import pki.server # PKI Deployment Imports from .. import pkiconfig as config @@ -89,7 +91,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # importing system certificates - pki_server_pkcs12_password = deployer.mdict['pki_server_pkcs12_password'] + pki_server_pkcs12_password = deployer.mdict[ + 'pki_server_pkcs12_password'] if not pki_server_pkcs12_password: raise Exception('Missing pki_server_pkcs12_password property.') @@ -101,6 +104,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): pkcs12_file=pki_server_pkcs12_path, pkcs12_password=pki_server_pkcs12_password) + # update external CA file (if needed) + external_cert_path = deployer.mdict['pki_server_external_cert_path'] + if external_cert_path is not None: + self.update_external_cert_conf(external_cert_path, deployer) + if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance # @@ -175,6 +183,21 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.file.delete(deployer.mdict['pki_shared_pfile']) return self.rv + def update_external_cert_conf(self, external_path, deployer): + external_certs = pki.server.PKIInstance.read_external_certs( + external_path) + + if len(external_certs) > 0: + instance = pki.server.PKIInstance( + deployer.mdict['pki_instance_name']) + instance.load_external_certs( + os.path.join(deployer.mdict['pki_instance_configuration_path'], + 'external_certs.conf') + ) + + for cert in external_certs: + instance.add_external_cert(cert.nickname, cert.token) + def destroy(self, deployer): config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, |