diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-09-24 16:48:15 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 08:50:47 +0200 |
| commit | 3cde7e9cfd7908b24082e3e50cdd0955726223d0 (patch) | |
| tree | 235ef572fd448a2246b5a9ede1787f5250e6ffb9 /ipaserver | |
| parent | 88083887c994ab505d6e07151e5dd26b56bb7732 (diff) | |
| download | freeipa-3cde7e9cfd7908b24082e3e50cdd0955726223d0.tar.gz freeipa-3cde7e9cfd7908b24082e3e50cdd0955726223d0.tar.xz freeipa-3cde7e9cfd7908b24082e3e50cdd0955726223d0.zip | |
Allow choosing CA-less server certificates by name
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 18 | ||||
| -rw-r--r-- | ipaserver/install/ipa_server_certinstall.py | 6 |
2 files changed, 20 insertions, 4 deletions
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 7504172c5..ce0cff22a 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -108,6 +108,15 @@ class ReplicaPrepare(admintool.AdminTool): help="The password to unlock the Kerberos KDC private key") group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True, help=SUPPRESS_HELP) + group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name", + metavar="NAME", + help="Name of the Directory Server SSL certificate to install") + group.add_option("--http-cert-name", dest="http_cert_name", + metavar="NAME", + help="Name of the Apache Server SSL certificate to install") + group.add_option("--pkinit-cert-name", dest="pkinit_cert_name", + metavar="NAME", + help="Name of the Kerberos KDC SSL certificate to install") parser.add_option_group(group) def validate_options(self): @@ -262,7 +271,8 @@ class ReplicaPrepare(admintool.AdminTool): raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( - options.http_cert_files, options.http_pin, None) + options.http_cert_files, options.http_pin, + options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin @@ -275,7 +285,8 @@ class ReplicaPrepare(admintool.AdminTool): raise admintool.ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( - options.dirsrv_cert_files, options.dirsrv_pin, None) + options.dirsrv_cert_files, options.dirsrv_pin, + options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin @@ -288,7 +299,8 @@ class ReplicaPrepare(admintool.AdminTool): raise admintool.ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12( - options.pkinit_cert_files, options.pkinit_pin, None) + options.pkinit_cert_files, options.pkinit_pin, + options.pkinit_cert_name) self.pkinit_pkcs12_file = pkinit_pkcs12_file self.pkinit_pin = pkinit_pin diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 1744a6eb8..9165ac1c9 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -61,6 +61,10 @@ class ServerCertInstall(admintool.AdminTool): dest="pin", help=optparse.SUPPRESS_HELP) parser.add_option( + "--cert-name", + dest="cert_name", metavar="NAME", + help="Name of the certificate to install") + parser.add_option( "-p", "--dirman-password", dest="dirman_password", help="Directory Manager password") @@ -155,7 +159,7 @@ class ServerCertInstall(admintool.AdminTool): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, key_password=pkcs12_passwd, - key_nickname=None, + key_nickname=self.options.cert_name, ca_cert_files=[CACERT], host_name=api.env.host) |