summaryrefslogtreecommitdiffstats
path: root/ipapython/certmonger.py
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2012-07-11 15:51:01 -0400
committerMartin Kosek <mkosek@redhat.com>2012-07-30 13:39:08 +0200
commit03837bfd6dbf7fd1eaa437da22807d7061b99af7 (patch)
tree746a0d63ca10adeb72b792e2557c6a918181bb96 /ipapython/certmonger.py
parente345ad12eb05e53246c2eca54616f9001765c291 (diff)
downloadfreeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.tar.gz
freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.tar.xz
freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.zip
Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803
Diffstat (limited to 'ipapython/certmonger.py')
-rw-r--r--ipapython/certmonger.py65
1 files changed, 65 insertions, 0 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 22a599ae6..bdc8591e7 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -22,6 +22,7 @@
# server certificates created during the IPA server installation.
import os
+import sys
import re
import time
from ipapython import ipautil
@@ -329,6 +330,70 @@ def remove_principal_from_cas():
fp.write(line)
fp.close()
+# Routines specific to renewing dogtag CA certificates
+def get_pin(token):
+ """
+ Dogtag stores its NSS pin in a file formatted as token:PIN.
+
+ The caller is expected to handle any exceptions raised.
+ """
+ filename = '/var/lib/pki-ca/conf/password.conf'
+ with open(filename, 'r') as f:
+ for line in f:
+ (tok, pin) = line.split('=', 1)
+ if token == tok:
+ return pin.strip()
+ return None
+
+def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
+ """
+ Tell certmonger to start tracking a dogtag CA certificate. These
+ are handled differently because their renewal must be done directly
+ and not through IPA.
+
+ This uses the generic certmonger command getcert so we can specify
+ a different helper.
+
+ command is the script to execute.
+
+ Returns the stdout, stderr and returncode from running ipa-getcert
+
+ This assumes that certmonger is already running.
+ """
+ if not cert_exists(nickname, os.path.abspath(secdir)):
+ raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
+
+ if command is not None and not os.path.isabs(command):
+ if sys.maxsize > 2**32:
+ libpath = 'lib64'
+ else:
+ libpath = 'lib'
+ command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
+
+ args = ["/usr/bin/getcert", "start-tracking",
+ "-d", os.path.abspath(secdir),
+ "-n", nickname,
+ "-c", ca,
+ "-C", command,
+ ]
+
+ if pinfile:
+ args.append("-p")
+ args.append(pinfile)
+ else:
+ args.append("-P")
+ args.append(pin)
+
+ if ca == 'dogtag-ipa-retrieve-agent-submit':
+ # We cheat and pass in the nickname as the profile when
+ # renewing on a clone. The submit otherwise doesn't pass in the
+ # nickname and we need some way to find the right entry in LDAP.
+ args.append("-T")
+ args.append(nickname)
+
+ (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
+
+
if __name__ == '__main__':
request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")
csr = get_request_value(request_id, 'csr')