From 08f032de4090467ac4096f970609e19834b997ac Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 25 Mar 2016 03:12:27 +0100 Subject: Simplified deployment properties for existing CA case. A new pki_existing deployment property has been added to install CA with existing CA certificate and key in a single step. New certificate deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_ca_signing_csr_path -> pki_external_csr_path - pki_ca_signing_cert_path -> pki_external_ca_cert_path - pki_cert_chain_path -> pki_external_ca_cert_chain_path - pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname https://fedorahosted.org/pki/ticket/1736 --- .../server/deployment/scriptlets/configuration.py | 38 +++++++++++++++++----- 1 file changed, 30 insertions(+), 8 deletions(-) (limited to 'base/server/python/pki/server/deployment/scriptlets') diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index b5d743894..cc8c7f9b6 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -93,13 +93,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) + existing = deployer.configuration_file.existing external = deployer.configuration_file.external step_one = deployer.configuration_file.external_step_one step_two = deployer.configuration_file.external_step_two try: - if external and step_one: # external/existing CA step 1 + if external and step_one: # external CA step 1 only + # Determine CA signing key type and algorithm key_type = deployer.mdict['pki_ca_signing_key_type'] key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] @@ -129,6 +131,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # import it into CS.cfg. external_csr_path = deployer.mdict['pki_external_csr_path'] if external_csr_path: + config.pki_log.info( + "generating CA signing certificate request in %s", + external_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) nssdb.create_request( subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], request_file=external_csr_path, @@ -136,8 +142,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): key_size=key_size, curve=curve, hash_alg=hash_alg) + with open(external_csr_path) as f: signing_csr = f.read() + signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr @@ -147,20 +155,27 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.save() - elif external and step_two: # external/existing CA step 2 + if existing or external and step_two: # existing CA or external CA step 2 - # If specified, import existing CA cert request into CS.cfg. - external_csr_path = deployer.mdict['pki_external_csr_path'] - if external_csr_path: - with open(external_csr_path) as f: + # If specified, import CA signing CSR into CS.cfg. + signing_csr_path = deployer.mdict['pki_external_csr_path'] + if signing_csr_path: + config.pki_log.info( + "importing CA signing CSR from %s", + signing_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(signing_csr_path) as f: signing_csr = f.read() signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr - # If specified, import externally-signed CA cert into NSS database. + # If specified, import CA signing cert into NSS database. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: + config.pki_log.info( + "importing %s from %s", signing_nickname, signing_cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) nssdb.add_cert( nickname=signing_nickname, cert_file=signing_cert_file, @@ -169,6 +184,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # If specified, import certs and keys from PKCS #12 file into NSS database. pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] if pkcs12_file: + config.pki_log.info( + "importing certificates and keys from %s", pkcs12_file, + extra=config.PKI_INDENTATION_LEVEL_2) pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) @@ -179,13 +197,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] if external_ca_cert_chain_file: + config.pki_log.info( + "importing certificate chain %s from %s", + external_ca_cert_chain_nickname, external_ca_cert_chain_file, + extra=config.PKI_INDENTATION_LEVEL_2) cert_chain, _nicks = nssdb.import_cert_chain( nickname=external_ca_cert_chain_nickname, cert_chain_file=external_ca_cert_chain_file, trust_attributes='CT,C,C') subsystem.config['ca.external_ca_chain.cert'] = cert_chain - # Export CA cert from NSS database and import it into CS.cfg. + # Export CA signing cert from NSS database and import it into CS.cfg. signing_cert_data = nssdb.get_cert( nickname=signing_nickname, output_format='base64') -- cgit