diff options
| -rw-r--r-- | ipaserver/install/certs.py | 40 | ||||
| -rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 2 | ||||
| -rw-r--r-- | ipaserver/install/krbinstance.py | 7 |
3 files changed, 24 insertions, 25 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 001b03f3b..172521562 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -61,6 +61,27 @@ def get_cert_nickname(cert): return (str(dn[0]), dn) +def install_pem_from_p12(p12_fname, p12_passwd, pem_fname): + pwd = ipautil.write_tmp_file(p12_passwd) + ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + pwd.name]) + + +def install_key_from_p12(p12_fname, p12_passwd, pem_fname): + pwd = ipautil.write_tmp_file(p12_passwd) + ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + pwd.name]) + + +def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname): + ipautil.run([paths.OPENSSL, "pkcs12", + "-export", "-name", nickname, + "-in", pem_fname, "-out", pkcs12_fname, + "-passout", "file:" + pkcs12_pwd_fname]) + + class CertDB(object): """An IPA-server-specific wrapper around NSS @@ -538,13 +559,6 @@ class CertDB(object): "-k", self.passwd_fname, "-w", pkcs12_pwd_fname]) - def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname, - nickname, pem_fname): - ipautil.run([paths.OPENSSL, "pkcs12", - "-export", "-name", nickname, - "-in", pem_fname, "-out", pkcs12_fname, - "-passout", "file:" + pkcs12_pwd_fname]) - def create_from_cacert(self): cacert_fname = paths.IPA_CA_CRT if ipautil.file_exists(self.certdb_fname): @@ -629,18 +643,6 @@ class CertDB(object): self.create_pin_file() self.export_ca_cert(nickname, False) - def install_pem_from_p12(self, p12_fname, p12_passwd, pem_fname): - pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", - "-in", p12_fname, "-out", pem_fname, - "-passin", "file:" + pwd.name]) - - def install_key_from_p12(self, p12_fname, p12_passwd, pem_fname): - pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts", - "-in", p12_fname, "-out", pem_fname, - "-passin", "file:" + pwd.name]) - def publish_ca_cert(self, location): self.nssdb.publish_ca_cert(self.cacert_name, location) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 14d5c7397..6fa4b4a42 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -607,7 +607,7 @@ class ReplicaPrepare(admintool.AdminTool): try: if is_kdc: - db.export_pem_p12(pkcs12_fname, passwd_fname, + certs.export_pem_p12(pkcs12_fname, passwd_fname, nickname, os.path.join(self.dir, "kdc.pem")) else: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 44b382126..9aa3b62e4 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -346,14 +346,11 @@ class KrbInstance(service.Service): self.move_service_to_host(host_principal) def setup_pkinit(self): - ca_db = certs.CertDB(self.realm, host_name=self.fqdn, - subject_base=self.subject_base) - if self.pkcs12_info: - ca_db.install_pem_from_p12(self.pkcs12_info[0], + certs.install_pem_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_CERT) - ca_db.install_key_from_p12(self.pkcs12_info[0], + certs.install_key_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_KEY) else: |