summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Basti <mbasti@redhat.com>2015-07-01 14:02:24 +0200
committerJan Cholasta <jcholast@redhat.com>2015-07-02 10:59:53 +0000
commit2e329ecdc7c72045f276319d18df28549a51d4b9 (patch)
treebc817231e39128722f6a71110f478193ff867042
parentb5cb95431bffd39475fa82a453ef057890425529 (diff)
downloadfreeipa-2e329ecdc7c72045f276319d18df28549a51d4b9.zip
freeipa-2e329ecdc7c72045f276319d18df28549a51d4b9.tar.gz
freeipa-2e329ecdc7c72045f276319d18df28549a51d4b9.tar.xz
KRA Install: check replica file if contains req. certificates
https://fedorahosted.org/freeipa/ticket/5059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r--ipaserver/install/kra.py16
1 files changed, 16 insertions, 0 deletions
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index b55dfb7..2586b4a 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -3,7 +3,9 @@
#
from ipalib import api, errors
+from ipapython import certdb
from ipapython import dogtag
+from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import cainstance
from ipaserver.install import krainstance
@@ -34,6 +36,20 @@ def install_check(api, replica_config, options):
if not api.Command.kra_is_enabled()['result']:
raise RuntimeError("KRA is not installed on the master system")
+ with certdb.NSSDatabase() as tmpdb:
+ pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
+ tmpdb.create_db(pw.name)
+ tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
+ replica_config.dirman_password)
+ kra_cert_nicknames = [
+ "storageCert cert-pki-kra", "transportCert cert-pki-kra",
+ "auditSigningCert cert-pki-kra"
+ ]
+ if not all(tmpdb.has_nickname(nickname)
+ for nickname in kra_cert_nicknames):
+ raise RuntimeError("Missing KRA certificates, please create a "
+ "new replica file.")
+
def install(api, replica_config, options):
subject = dsinstance.DsInstance().find_subject_base()