Fixes: https://fedorahosted.org/freeipa/ticket/5059

Patch attached.

--
Martin Basti

From 3545cd4680cfe50983976204c71a2dc6df3788bb Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 1 Jul 2015 14:02:24 +0200
Subject: [PATCH] KRA Install: check replica file if contains req. certificates

https://fedorahosted.org/freeipa/ticket/5059
---
 ipaserver/install/kra.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index b55dfb70266af1ac94d19b3c1ee9499194401ef5..2586b4af22cd35292f78938880c80c5092477589 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -3,7 +3,9 @@
 #
 
 from ipalib import api, errors
+from ipapython import certdb
 from ipapython import dogtag
+from ipapython import ipautil
 from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import krainstance
@@ -34,6 +36,20 @@ def install_check(api, replica_config, options):
         if not api.Command.kra_is_enabled()['result']:
             raise RuntimeError("KRA is not installed on the master system")
 
+        with certdb.NSSDatabase() as tmpdb:
+            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
+            tmpdb.create_db(pw.name)
+            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
+                                replica_config.dirman_password)
+            kra_cert_nicknames = [
+                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
+                "auditSigningCert cert-pki-kra"
+            ]
+            if not all(tmpdb.has_nickname(nickname)
+                       for nickname in kra_cert_nicknames):
+                raise RuntimeError("Missing KRA certificates, please create a "
+                                   "new replica file.")
+
 
 def install(api, replica_config, options):
     subject = dsinstance.DsInstance().find_subject_base()
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to