3 files changed, 55 insertions, 7 deletions

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 429e1e93e..cd4e3e26f 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -632,10 +632,17 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_client_database_password")
         # Verify existence of Client PKCS #12 Password for Admin Cert
         self.confirm_data_exists("pki_client_pkcs12_password")
+
         if self.clone:
+
             # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
             if not config.str2bool(self.mdict['pki_hsm_enable']):
-                self.confirm_data_exists("pki_clone_pkcs12_password")
+
+                # If system certificates are already provided via pki_server_pkcs12
+                # there's no need to provide pki_clone_pkcs12.
+                if not self.mdict['pki_server_pkcs12_path']:
+                    self.confirm_data_exists("pki_clone_pkcs12_password")
+
             # Verify absence of all PKCS #12 clone parameters for HSMs
             elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or
                     ('pki_clone_pkcs12_password' in self.mdict and
@@ -645,6 +652,7 @@ class ConfigurationFile:
                     extra=config.PKI_INDENTATION_LEVEL_2)
                 raise Exception(
                     log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
+
         # Verify existence of Security Domain Password
         # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or
         #  Subordinate CA that will be automatically configured and
@@ -749,11 +757,18 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_http_port")
             self.confirm_data_exists("pki_https_port")
             self.confirm_data_exists("pki_tomcat_server_port")
+
+            # Check clone parameters for non-HSM clone
             if not config.str2bool(self.mdict['pki_hsm_enable']):
-                # Check clone parameters for non-HSM clone
-                self.confirm_data_exists("pki_clone_pkcs12_path")
-                self.confirm_file_exists("pki_clone_pkcs12_path")
+
+                # If system certificates are already provided via pki_server_pkcs12
+                # there's no need to provide pki_clone_pkcs12.
+                if not self.mdict['pki_server_pkcs12_path']:
+                    self.confirm_data_exists("pki_clone_pkcs12_path")
+                    self.confirm_file_exists("pki_clone_pkcs12_path")
+
             self.confirm_data_exists("pki_clone_replication_security")
+
         elif self.external:
             # External CA
             if not self.external_step_two:
@@ -4032,6 +4047,8 @@ class ConfigClient:
         # Issuing CA Information
         self.set_issuing_ca_parameters(data)
 
+        data.systemCertsImported = self.mdict['pki_server_pkcs12_path'] != ''
+
         # Create system certs
         self.set_system_certs(data)
 
@@ -4308,10 +4325,15 @@ class ConfigClient:
     def set_cloning_parameters(self, data):
         data.isClone = "true"
         data.cloneUri = self.mdict['pki_clone_uri']
+
+        # Set these clone parameters for non-HSM clones only
         if not config.str2bool(self.mdict['pki_hsm_enable']):
-            # Set these clone parameters for non-HSM clones only
-            data.p12File = self.mdict['pki_clone_pkcs12_path']
-            data.p12Password = self.mdict['pki_clone_pkcs12_password']
+            # If system certificates are already provided via pki_server_pkcs12
+            # there's no need to provide pki_clone_pkcs12.
+            if not self.mdict['pki_server_pkcs12_path']:
+                data.p12File = self.mdict['pki_clone_pkcs12_path']
+                data.p12Password = self.mdict['pki_clone_pkcs12_password']
+
         if config.str2bool(self.mdict['pki_clone_replicate_schema']):
             data.replicateSchema = "true"
         else:
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 77a1cdf2d..ca9ef998f 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -346,6 +346,7 @@ class PKIConfigParser:
                     'pki_pin',
                     'pki_replication_password',
                     'pki_security_domain_password',
+                    'pki_server_pkcs12_password',
                     'pki_token_password')
 
                 print('Loading deployment configuration from ' +
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 94ecbc2f0..a723b1da9 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -20,6 +20,8 @@
 
 from __future__ import absolute_import
 
+import pki.nssdb
+
 # PKI Deployment Imports
 from .. import pkiconfig as config
 from .. import pkimessages as log
@@ -36,8 +38,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__,
                                 extra=config.PKI_INDENTATION_LEVEL_1)
             return self.rv
+
         config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
                             extra=config.PKI_INDENTATION_LEVEL_1)
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.password.create_hsm_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
@@ -47,6 +51,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.password.create_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
                 deployer.mdict['pki_pin'])
+
         # Since 'certutil' does NOT strip the 'token=' portion of
         # the 'token=password' entries, create a temporary server 'pfile'
         # which ONLY contains the 'password' for the purposes of
@@ -55,12 +60,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_shared_pfile'],
             deployer.mdict['pki_pin'], pin_sans_token=True)
         deployer.file.modify(deployer.mdict['pki_shared_password_conf'])
+
         deployer.certutil.create_security_databases(
             deployer.mdict['pki_database_path'],
             deployer.mdict['pki_cert_database'],
             deployer.mdict['pki_key_database'],
             deployer.mdict['pki_secmod_database'],
             password_file=deployer.mdict['pki_shared_pfile'])
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.modutil.register_security_module(
                 deployer.mdict['pki_database_path'],
@@ -76,6 +83,24 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_secmod_database'],
             perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
 
+        pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
+
+        if pki_server_pkcs12_path:
+
+            # importing system certificates
+
+            pki_server_pkcs12_password = deployer.mdict['pki_server_pkcs12_password']
+            if not pki_server_pkcs12_password:
+                raise Exception('Missing pki_server_pkcs12_password property.')
+
+            nssdb = pki.nssdb.NSSDatabase(
+                directory=deployer.mdict['pki_database_path'],
+                password_file=deployer.mdict['pki_shared_pfile'])
+
+            nssdb.import_pkcs12(
+                pkcs12_file=pki_server_pkcs12_path,
+                pkcs12_password=pki_server_pkcs12_password)
+
         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
             # only create a self signed cert for a new instance
             #