summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/common/python/pki/nssdb.py6
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java2
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java15
-rw-r--r--base/server/etc/default.cfg5
-rw-r--r--base/server/man/man8/pkispawn.86
-rw-r--r--base/server/python/pki/server/cli/instance.py11
-rw-r--r--base/server/python/pki/server/cli/subsystem.py4
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/security_databases.py19
8 files changed, 41 insertions, 27 deletions
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 43a97146d..2fc2d420f 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -531,8 +531,10 @@ class NSSDatabase(object):
finally:
shutil.rmtree(tmpdir)
- def export_pkcs12(self, pkcs12_file, nicknames=None, pkcs12_password=None,
- pkcs12_password_file=None):
+ def export_pkcs12(self, pkcs12_file,
+ pkcs12_password=None,
+ pkcs12_password_file=None,
+ nicknames=None):
tmpdir = tempfile.mkdtemp()
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
index c3c5ef489..48e4907cf 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
@@ -151,7 +151,7 @@ public class PKCS12CertAddCLI extends CLI {
pkcs12 = new PKCS12();
} else {
- // otherwise, add into the same file
+ // otherwise, add into the existing file
pkcs12 = util.loadFromFile(filename, password);
}
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index 52a993125..d42c449b4 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -18,6 +18,7 @@
package com.netscape.cmstools.pkcs12;
import java.io.BufferedReader;
+import java.io.File;
import java.io.FileReader;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -60,6 +61,7 @@ public class PKCS12ExportCLI extends CLI {
option.setArgName("path");
options.addOption(option);
+ options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
options.addOption("v", "verbose", false, "Run in verbose mode.");
@@ -124,14 +126,23 @@ public class PKCS12ExportCLI extends CLI {
Password password = new Password(passwordString.toCharArray());
+ boolean newFile = cmd.hasOption("new-file");
boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags");
try {
PKCS12Util util = new PKCS12Util();
util.setTrustFlagsEnabled(trustFlagsEnabled);
- // overwrite existing file
- PKCS12 pkcs12 = new PKCS12();
+ PKCS12 pkcs12;
+
+ if (newFile || !new File(filename).exists()) {
+ // if new file requested or file does not exist, create a new file
+ pkcs12 = new PKCS12();
+
+ } else {
+ // otherwise, export into the existing file
+ pkcs12 = util.loadFromFile(filename, password);
+ }
if (nicknames.length == 0) {
// load all certificates
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 98fbb2fe7..ae0021bb1 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -109,8 +109,6 @@ pki_security_domain_https_port=8443
pki_security_domain_name=%(pki_dns_domainname)s Security Domain
pki_security_domain_password=
pki_security_domain_user=caadmin
-pki_server_pkcs12_path=
-pki_server_pkcs12_password=
#for supporting server cert SAN injection
pki_san_inject=False
pki_san_for_server_cert=
@@ -192,6 +190,9 @@ pki_subsystem_registry_link=%(pki_subsystem_path)s/registry
###############################################################################
[Tomcat]
pki_ajp_port=8009
+pki_server_pkcs12_path=
+pki_server_pkcs12_password=
+pki_server_external_certs_path=
pki_clone=False
pki_clone_pkcs12_password=
pki_clone_pkcs12_path=
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 92751d7d7..fa601fcae 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -607,10 +607,10 @@ pki_security_domain_https_port=<master_ca_https_port>
pki_security_domain_user=caadmin
[Tomcat]
-pki_clone=True
+pki_server_pkcs12_path=<path to pkcs12 file>
pki_server_pkcs12_password=\fISecret123\fP
-pki_server_pkcs12_path=<path_to_pkcs12_file>
-pki_server_external_cert_path=<path to external_certs.conf file>
+pki_server_external_certs_path=<path to external_certs.conf file>
+pki_clone=True
pki_clone_replicate_schema=True
pki_clone_uri=https://<master_ca_hostname>:<master_ca_https_port>
.fi
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 5d1615329..a779f3c16 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -67,10 +67,10 @@ class InstanceCertExportCLI(pki.cli.CLI):
def __init__(self):
super(InstanceCertExportCLI, self).__init__(
- 'export', 'Export subsystem certificate')
+ 'export', 'Export system certificates')
def print_help(self): # flake8: noqa
- print('Usage: pki-server instance-cert-export [OPTIONS]')
+ print('Usage: pki-server instance-cert-export [OPTIONS] [nicknames...]')
print()
print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
print(' --pkcs12-file <path> Output file to store the exported certificate and key in PKCS #12 format.')
@@ -83,7 +83,7 @@ class InstanceCertExportCLI(pki.cli.CLI):
def execute(self, argv):
try:
- opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+ opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=',
'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
'verbose', 'help'])
@@ -93,6 +93,8 @@ class InstanceCertExportCLI(pki.cli.CLI):
self.print_help()
sys.exit(1)
+ nicknames = args
+
instance_name = 'pki-tomcat'
pkcs12_file = None
pkcs12_password = None
@@ -139,7 +141,8 @@ class InstanceCertExportCLI(pki.cli.CLI):
nssdb.export_pkcs12(
pkcs12_file=pkcs12_file,
pkcs12_password=pkcs12_password,
- pkcs12_password_file=pkcs12_password_file)
+ pkcs12_password_file=pkcs12_password_file,
+ nicknames=nicknames)
finally:
nssdb.close()
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 8450f7b61..5ab232cc1 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -577,9 +577,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
try:
nssdb.export_pkcs12(
pkcs12_file=pkcs12_file,
- nicknames=nicknames,
pkcs12_password=pkcs12_password,
- pkcs12_password_file=pkcs12_password_file)
+ pkcs12_password_file=pkcs12_password_file,
+ nicknames=nicknames)
finally:
nssdb.close()
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 027c4c4cf..3947ad64c 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -85,12 +85,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.mdict['pki_secmod_database'],
perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
- pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
+ # import system certificates before starting the server
+ pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
if pki_server_pkcs12_path:
- # importing system certificates
-
pki_server_pkcs12_password = deployer.mdict[
'pki_server_pkcs12_password']
if not pki_server_pkcs12_password:
@@ -105,9 +104,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
pkcs12_password=pki_server_pkcs12_password)
# update external CA file (if needed)
- external_cert_path = deployer.mdict['pki_server_external_cert_path']
- if external_cert_path is not None:
- self.update_external_cert_conf(external_cert_path, deployer)
+ external_certs_path = deployer.mdict['pki_server_external_certs_path']
+ if external_certs_path is not None:
+ self.update_external_certs_conf(external_certs_path, deployer)
if len(deployer.instance.tomcat_instance_subsystems()) < 2:
# only create a self signed cert for a new instance
@@ -183,20 +182,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.file.delete(deployer.mdict['pki_shared_pfile'])
return self.rv
- def update_external_cert_conf(self, external_path, deployer):
+ def update_external_certs_conf(self, external_path, deployer):
external_certs = pki.server.PKIInstance.read_external_certs(
external_path)
if len(external_certs) > 0:
- instance = pki.server.PKIInstance(
- deployer.mdict['pki_instance_name'])
- instance.load_external_certs(
+ deployer.instance.load_external_certs(
os.path.join(deployer.mdict['pki_instance_configuration_path'],
'external_certs.conf')
)
for cert in external_certs:
- instance.add_external_cert(cert.nickname, cert.token)
+ deployer.instance.add_external_cert(cert.nickname, cert.token)
def destroy(self, deployer):