From b48889a2ef41fd45ca69c3926c36ef075777447c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 19 Feb 2016 15:09:49 +0100 Subject: Added pki-server commands to export system certificates. Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server -clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742 --- base/server/python/pki/server/cli/instance.py | 94 +++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) (limited to 'base/server/python/pki/server/cli/instance.py') diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 5e70e5f28..b5e6a5e41 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -21,6 +21,7 @@ from __future__ import absolute_import from __future__ import print_function import getopt +import getpass import os import sys @@ -35,6 +36,7 @@ class InstanceCLI(pki.cli.CLI): super(InstanceCLI, self).__init__('instance', 'Instance management commands') + self.add_module(InstanceCertCLI()) self.add_module(InstanceFindCLI()) self.add_module(InstanceShowCLI()) self.add_module(InstanceStartCLI()) @@ -49,6 +51,98 @@ class InstanceCLI(pki.cli.CLI): print(' Active: %s' % instance.is_active()) +class InstanceCertCLI(pki.cli.CLI): + + def __init__(self): + super(InstanceCertCLI, self).__init__( + 'cert', 'Instance certificate management commands') + + self.add_module(InstanceCertExportCLI()) + + +class InstanceCertExportCLI(pki.cli.CLI): + + def __init__(self): + super(InstanceCertExportCLI, self).__init__( + 'export', 'Export subsystem certificate') + + def print_help(self): # flake8: noqa + print('Usage: pki-server instance-cert-export [OPTIONS]') + print() + print(' -i, --instance Instance ID (default: pki-tomcat).') + print(' --pkcs12-file Output file to store the exported certificate and key in PKCS #12 format.') + print(' --pkcs12-password Password for the PKCS #12 file.') + print(' --pkcs12-password-file Input file containing the password for the PKCS #12 file.') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + pkcs12_file = None + pkcs12_password = None + pkcs12_password_file = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--pkcs12-file': + pkcs12_file = a + + elif o == '--pkcs12-password': + pkcs12_password = a + + elif o == '--pkcs12-password-file': + pkcs12_password_file = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.print_help() + sys.exit(1) + + if not pkcs12_file: + print('ERROR: missing output file') + self.print_help() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + if not pkcs12_password and not pkcs12_password_file: + pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') + + nssdb = instance.open_nssdb() + try: + nssdb.export_pkcs12( + pkcs12_file=pkcs12_file, + pkcs12_password=pkcs12_password, + pkcs12_password_file=pkcs12_password_file) + finally: + nssdb.close() + + self.print_message('Exported certificates') + + class InstanceFindCLI(pki.cli.CLI): def __init__(self): -- cgit