1 files changed, 33 insertions, 4 deletions

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 64ee4e5f6..97f6d3e60 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -39,6 +39,31 @@ import pki.util
 # PKI Deployment Configuration Scriptlet
 class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
+    def store_cert_tokens(self, subsystem, deployer):
+
+        subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
+            deployer.mdict['pki_audit_signing_token'])
+        subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
+            deployer.mdict['pki_ssl_server_token'])
+        subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
+            deployer.mdict['pki_subsystem_token'])
+
+        if subsystem.name == 'ca':
+            subsystem.config['ca.signing.tokenname'] = (
+                deployer.mdict['pki_ca_signing_token'])
+            subsystem.config['ca.ocsp_signing.tokenname'] = (
+                deployer.mdict['pki_ocsp_signing_token'])
+
+        elif subsystem.name == 'kra':
+            subsystem.config['kra.storage.tokenname'] = (
+                deployer.mdict['pki_storage_token'])
+            subsystem.config['kra.transport.tokenname'] = (
+                deployer.mdict['pki_transport_token'])
+
+        elif subsystem.name == 'ocsp':
+            subsystem.config['ocsp.signing.tokenname'] = (
+                deployer.mdict['pki_ocsp_signing_token'])
+
     def spawn(self, deployer):
 
         if config.str2bool(deployer.mdict['pki_skip_configuration']):
@@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     nickname=signing_nickname,
                     output_format='base64')
                 subsystem.config['ca.signing.nickname'] = signing_nickname
-                subsystem.config['ca.signing.tokenname'] = (
-                    deployer.mdict['pki_ca_signing_token'])
                 subsystem.config['ca.signing.cert'] = signing_cert_data
                 subsystem.config['ca.signing.cacertnickname'] = signing_nickname
                 subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
                     deployer.mdict['pki_ca_signing_signing_algorithm'])
 
+                # Store cert tokens in CS.cfg.
+                self.store_cert_tokens(subsystem, deployer)
+
                 subsystem.save()
 
                 # verify the signing certificate
@@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     instance, 'ca')
                 verifier.verify_certificate('signing')
 
-            else:  # self-signed CA
+            else:  # other installation types
 
                 # To be implemented in ticket #1692.
 
@@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Self sign CA cert.
                 # Import self-signed CA cert into NSS database.
 
-                pass
+                # Store cert tokens in CS.cfg.
+                self.store_cert_tokens(subsystem, deployer)
+
+                subsystem.save()
 
         finally:
             nssdb.close()