Attached are the changes to simplify the existing CA installation: https://fedorahosted.org/pki/ticket/1736
The documentation has been updated: http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate -- Endi S. Dewata
>From 23a31ee0df98a6104df1a8b34d88eb4d96d75f1a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Thu, 14 Apr 2016 23:21:57 +0200 Subject: [PATCH] Renamed PKCS #12 deployment properties. Some PKCS #12 deployment properties have been renamed to allow them to be used in more general cases: - pki_external_pkcs12_path -> pki_pkcs12_path - pki_external_pkcs12_password -> pki_pkcs12_password https://fedorahosted.org/pki/ticket/1736 --- base/server/etc/default.cfg | 6 +++--- .../python/pki/server/deployment/scriptlets/configuration.py | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 21c792472c7757ce5eda5e96ccfbd0552cec8b98..867e195fc36b940869a1bd4fcbe5add74886fbd9 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -22,7 +22,7 @@ sensitive_parameters= pki_client_pkcs12_password pki_clone_pkcs12_password pki_ds_password - pki_external_pkcs12_password + pki_pkcs12_password pki_one_time_pin pki_pin pki_replication_password @@ -134,6 +134,8 @@ pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal pki_token_password= pki_user=pkiuser +pki_pkcs12_path= +pki_pkcs12_password= # Paths: # These are used in the processing of pkispawn and are not supposed @@ -378,8 +380,6 @@ pki_external_step_two=False pki_external_ca_cert_chain_path= pki_external_ca_cert_chain_nickname=caSigningCert External CA pki_external_ca_cert_path= -pki_external_pkcs12_path= -pki_external_pkcs12_password= pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index f93a24723375ee3fc5139473f2d37daea0866910..ac4deb8ca51053735049b25ee3a8e0ff9699d2a1 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -158,8 +158,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.config['ca.signing.certreq'] = signing_csr # If specified, import externally-signed CA cert into NSS database. - # Note: CA cert must be imported before the cert chain to ensure that - # the CA cert is imported with the correct nickname. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: @@ -168,13 +166,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): cert_file=signing_cert_file, trust_attributes='CT,C,C') - # If specified, import CA cert and key from PKCS #12 file into NSS database. - pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] + # If specified, import certs and keys from PKCS #12 file into NSS database. + pkcs12_file = deployer.mdict['pki_pkcs12_path'] if pkcs12_file: - pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] + pkcs12_password = deployer.mdict['pki_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) # If specified, import cert chain into NSS database. + # Note: Cert chain must be imported after the system certs to ensure that + # the system certs are imported with the correct nicknames. external_ca_cert_chain_nickname = \ deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] -- 2.5.5
>From e68228f44ff30b7c2ee9118383953f00aef687bc Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 25 Mar 2016 03:12:27 +0100 Subject: [PATCH] Simplified deployment properties for existing CA case. A new pki_existing deployment property has been added to install CA with existing CA certificate and key in a single step. Some new properties have been added as aliases for the external CA properties to allow them to be used in more general cases: - pki_ca_signing_csr_path -> pki_external_csr_path - pki_ca_signing_cert_path -> pki_external_ca_cert_path - pki_cert_chain_path -> pki_external_ca_cert_chain_path - pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname https://fedorahosted.org/pki/ticket/1736 --- base/server/etc/default.cfg | 14 +++++--- .../python/pki/server/deployment/pkihelper.py | 7 +++- .../server/deployment/scriptlets/configuration.py | 38 +++++++++++++++++----- 3 files changed, 45 insertions(+), 14 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 867e195fc36b940869a1bd4fcbe5add74886fbd9..491a48bf7b5935bbb12408549dc3b9f1e4d84f5f 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -134,6 +134,9 @@ pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal pki_token_password= pki_user=pkiuser +pki_existing=False +pki_cert_chain_path= +pki_cert_chain_nickname=caSigningCert External CA pki_pkcs12_path= pki_pkcs12_password= @@ -354,7 +357,6 @@ pki_nuxwdog_client_jar=/usr/lib/java/nuxwdog.jar ## ## ## EXTERNAL CAs: To specify an 'External CA', change the value ## ## of 'pki_external' from 'False' to 'True'. ## -## ## ## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## ## of 'pki_subordinate' from 'False' to 'True'. ## ## ## @@ -369,17 +371,19 @@ pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s pki_ca_signing_token=Internal Key Storage Token +pki_ca_signing_csr_path= +pki_ca_signing_cert_path= pki_external=False pki_req_ext_add=False # MS subca request ext data pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041 -pki_external_csr_path= pki_external_step_two=False -pki_external_ca_cert_chain_path= -pki_external_ca_cert_chain_nickname=caSigningCert External CA -pki_external_ca_cert_path= +pki_external_csr_path=%(pki_ca_signing_csr_path)s +pki_external_ca_cert_path=%(pki_ca_signing_cert_path)s +pki_external_ca_cert_chain_path=%(pki_cert_chain_path)s +pki_external_ca_cert_chain_nickname=%(pki_cert_chain_nickname)s pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index cd4e3e26f72ad175aa13fd87d1c8344c6d9248f4..f01f6f69ff66d3687875c8f3d88840daf2115e3f 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -501,6 +501,7 @@ class ConfigurationFile: self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) + self.existing = config.str2bool(self.mdict['pki_existing']) self.external = config.str2bool(self.mdict['pki_external']) self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two']) self.external_step_two = not self.external_step_one @@ -3786,9 +3787,12 @@ class ConfigClient: self.mdict = deployer.mdict # set useful 'boolean' object variables for this class self.clone = config.str2bool(self.mdict['pki_clone']) + + self.existing = config.str2bool(self.mdict['pki_existing']) self.external = config.str2bool(self.mdict['pki_external']) self.external_step_two = config.str2bool( self.mdict['pki_external_step_two']) + self.standalone = config.str2bool(self.mdict['pki_standalone']) self.subordinate = config.str2bool(self.mdict['pki_subordinate']) # set useful 'string' object variables for this class @@ -3999,7 +4003,8 @@ class ConfigClient: data.tokenPassword = self.mdict['pki_token_password'] data.subsystemName = self.mdict['pki_subsystem_name'] - data.external = self.external + # Process existing CA installation like external CA + data.external = self.external or self.existing data.standAlone = self.standalone if self.standalone: diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index ac4deb8ca51053735049b25ee3a8e0ff9699d2a1..1474d2fbbdb5f842109b0d319e7f16388720bff9 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -93,13 +93,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) + existing = deployer.configuration_file.existing external = deployer.configuration_file.external step_one = deployer.configuration_file.external_step_one step_two = deployer.configuration_file.external_step_two try: - if external and step_one: # external/existing CA step 1 + if external and step_one: # external CA step 1 only + # Determine CA signing key type and algorithm key_type = deployer.mdict['pki_ca_signing_key_type'] key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] @@ -129,6 +131,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # import it into CS.cfg. external_csr_path = deployer.mdict['pki_external_csr_path'] if external_csr_path: + config.pki_log.info( + "generating CA signing certificate request in %s", + external_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) nssdb.create_request( subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], request_file=external_csr_path, @@ -136,8 +142,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): key_size=key_size, curve=curve, hash_alg=hash_alg) + with open(external_csr_path) as f: signing_csr = f.read() + signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr @@ -147,20 +155,27 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.save() - elif external and step_two: # external/existing CA step 2 + if existing or external and step_two: # existing CA or external CA step 2 - # If specified, import existing CA cert request into CS.cfg. - external_csr_path = deployer.mdict['pki_external_csr_path'] - if external_csr_path: - with open(external_csr_path) as f: + # If specified, import CA signing CSR into CS.cfg. + signing_csr_path = deployer.mdict['pki_external_csr_path'] + if signing_csr_path: + config.pki_log.info( + "importing CA signing CSR from %s", + signing_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(signing_csr_path) as f: signing_csr = f.read() signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr - # If specified, import externally-signed CA cert into NSS database. + # If specified, import CA signing cert into NSS database. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: + config.pki_log.info( + "importing %s from %s", signing_nickname, signing_cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) nssdb.add_cert( nickname=signing_nickname, cert_file=signing_cert_file, @@ -169,6 +184,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # If specified, import certs and keys from PKCS #12 file into NSS database. pkcs12_file = deployer.mdict['pki_pkcs12_path'] if pkcs12_file: + config.pki_log.info( + "importing certificates and keys from %s", pkcs12_file, + extra=config.PKI_INDENTATION_LEVEL_2) pkcs12_password = deployer.mdict['pki_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) @@ -179,13 +197,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] if external_ca_cert_chain_file: + config.pki_log.info( + "importing certificate chain %s from %s", + external_ca_cert_chain_nickname, external_ca_cert_chain_file, + extra=config.PKI_INDENTATION_LEVEL_2) cert_chain, _nicks = nssdb.import_cert_chain( nickname=external_ca_cert_chain_nickname, cert_chain_file=external_ca_cert_chain_file, trust_attributes='CT,C,C') subsystem.config['ca.external_ca_chain.cert'] = cert_chain - # Export CA cert from NSS database and import it into CS.cfg. + # Export CA signing cert from NSS database and import it into CS.cfg. signing_cert_data = nssdb.get_cert( nickname=signing_nickname, output_format='base64') -- 2.5.5
>From 9f477598dc117f974648927e0d922263587c32fc Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 15 Apr 2016 02:30:00 +0200 Subject: [PATCH] Updated pki pkcs12-export CLI. For consistency the pki pkcs12-export has been modified to overwrite the PKCS #12 output file by default. A new option has been added to append the exported certificates and keys into the output file if the file already exists. The same option has been added to the The pki-server instance-cert-export and subsystem-cert-export commands. https://fedorahosted.org/pki/ticket/1736 --- base/common/python/pki/nssdb.py | 10 +++++++++- .../netscape/cmstools/pkcs12/PKCS12ExportCLI.java | 16 ++++++++-------- .../com/netscape/cmscore/base/PropConfigStore.java | 2 +- base/server/python/pki/server/cli/instance.py | 18 ++++++++++++++---- base/server/python/pki/server/cli/subsystem.py | 20 +++++++++++++++----- 5 files changed, 47 insertions(+), 19 deletions(-) diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 9d276332aacb5a74b36c20406028e03a21c51b72..503bd412b3d6cb6d98f2dade05736a4b3fc98f9c 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -543,7 +543,9 @@ class NSSDatabase(object): def export_pkcs12(self, pkcs12_file, pkcs12_password=None, pkcs12_password_file=None, - nicknames=None): + nicknames=None, + append=False, + debug=False): tmpdir = tempfile.mkdtemp() @@ -575,6 +577,12 @@ class NSSDatabase(object): '--pkcs12-password-file', password_file ]) + if append: + cmd.extend(['--append']) + + if debug: + cmd.extend(['--debug']) + if nicknames: cmd.extend(nicknames) diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index fab5ecdda038ef281348f3e16535e8fdef7bae90..728a9efd1d3f36d14428b2f1e7b891047576de96 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -61,7 +61,7 @@ public class PKCS12ExportCLI extends CLI { option.setArgName("path"); options.addOption(option); - options.addOption(null, "new-file", false, "Create a new PKCS #12 file"); + options.addOption(null, "append", false, "Append into an existing PKCS #12 file"); options.addOption(null, "no-trust-flags", false, "Do not include trust flags"); options.addOption(null, "no-key", false, "Do not include private key"); options.addOption(null, "no-chain", false, "Do not include certificate chain"); @@ -128,7 +128,7 @@ public class PKCS12ExportCLI extends CLI { Password password = new Password(passwordString.toCharArray()); - boolean newFile = cmd.hasOption("new-file"); + boolean append = cmd.hasOption("append"); boolean includeTrustFlags = !cmd.hasOption("no-trust-flags"); boolean includeKey = !cmd.hasOption("no-key"); boolean includeChain = !cmd.hasOption("no-chain"); @@ -139,13 +139,13 @@ public class PKCS12ExportCLI extends CLI { PKCS12 pkcs12; - if (newFile || !new File(filename).exists()) { - // if new file requested or file does not exist, create a new file - pkcs12 = new PKCS12(); - - } else { - // otherwise, export into the existing file + if (append && new File(filename).exists()) { + // if append requested and file exists, export into the existing file pkcs12 = util.loadFromFile(filename, password); + + } else { + // otherwise, create a new file + pkcs12 = new PKCS12(); } if (nicknames.length == 0) { diff --git a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java index eb3f6c3126070c3bcf30c7ed155bf2e7281d6876..cc16e247d01428f958d0d397ff95127fcb8d2f45 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java +++ b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java @@ -255,7 +255,7 @@ public class PropConfigStore implements IConfigStore, Cloneable { if (str == null) { CMS.traceHashKey(mDebugType, getFullName(name), "<notpresent>"); - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", getName() + "." + name)); + throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", getFullName(name))); } // should we check for empty string ? // if (str.length() == 0) { diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index a779f3c16e12fc30f1accb3dc05b43b89bcabcb1..4eeee5d6053e05581a472b601ed9e066c4ada395 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -76,7 +76,9 @@ class InstanceCertExportCLI(pki.cli.CLI): print(' --pkcs12-file <path> Output file to store the exported certificate and key in PKCS #12 format.') print(' --pkcs12-password <password> Password for the PKCS #12 file.') print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') + print(' --append Append into an existing PKCS #12 file.') print(' -v, --verbose Run in verbose mode.') + print(' --debug Run in debug mode.') print(' --help Show help message.') print() @@ -86,7 +88,7 @@ class InstanceCertExportCLI(pki.cli.CLI): opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) + 'append', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) @@ -99,6 +101,8 @@ class InstanceCertExportCLI(pki.cli.CLI): pkcs12_file = None pkcs12_password = None pkcs12_password_file = None + append = False + debug = False for o, a in opts: if o in ('-i', '--instance'): @@ -113,9 +117,15 @@ class InstanceCertExportCLI(pki.cli.CLI): elif o == '--pkcs12-password-file': pkcs12_password_file = a + elif o == '--append': + append = True + elif o in ('-v', '--verbose'): self.set_verbose(True) + elif o == '--debug': + debug = True + elif o == '--help': self.print_help() sys.exit() @@ -142,12 +152,12 @@ class InstanceCertExportCLI(pki.cli.CLI): pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, - nicknames=nicknames) + nicknames=nicknames, + append=append, + debug=debug) finally: nssdb.close() - self.print_message('Exported certificates') - class InstanceFindCLI(pki.cli.CLI): diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 5ab232cc1610e113c5e773f9aea20907198c324c..fe395aad642f050c401996b401a4122af09b9f83 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -464,7 +464,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): print(' --pkcs12-file <path> Output file to store the exported certificate and key in PKCS #12 format.') print(' --pkcs12-password <password> Password for the PKCS #12 file.') print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') + print(' --append Append into an existing PKCS #12 file.') print(' -v, --verbose Run in verbose mode.') + print(' --debug Run in debug mode.') print(' --help Show help message.') print() @@ -474,7 +476,7 @@ class SubsystemCertExportCLI(pki.cli.CLI): opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) + 'append', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) @@ -494,6 +496,8 @@ class SubsystemCertExportCLI(pki.cli.CLI): pkcs12_file = None pkcs12_password = None pkcs12_password_file = None + append = False + debug = False for o, a in opts: if o in ('-i', '--instance'): @@ -514,9 +518,15 @@ class SubsystemCertExportCLI(pki.cli.CLI): elif o == '--pkcs12-password-file': pkcs12_password_file = a + elif o == '--append': + append = True + elif o in ('-v', '--verbose'): self.set_verbose(True) + elif o == '--debug': + debug = True + elif o == '--help': self.print_help() sys.exit() @@ -526,7 +536,7 @@ class SubsystemCertExportCLI(pki.cli.CLI): self.print_help() sys.exit(1) - if not pkcs12_file: + if not (cert_file or csr_file or pkcs12_file): print('ERROR: missing output file') self.print_help() sys.exit(1) @@ -579,13 +589,13 @@ class SubsystemCertExportCLI(pki.cli.CLI): pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, - nicknames=nicknames) + nicknames=nicknames, + append=append, + debug=debug) finally: nssdb.close() - self.print_message('Export complete') - class SubsystemCertUpdateCLI(pki.cli.CLI): -- 2.5.5
>From 72fec14779ed5279b4387e4d78a2b0d0c8a57b4f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Thu, 14 Apr 2016 23:12:17 +0200 Subject: [PATCH] Moved self-signed SSL server certificate creation. To avoid possible conflicts imported external certificates, the self-signed SSL server certificate creation has been moved after the external certificates have been imported into the NSS database and before the server is started. https://fedorahosted.org/pki/ticket/1736 --- .../server/deployment/scriptlets/configuration.py | 55 ++++++++++++++++++++++ .../deployment/scriptlets/security_databases.py | 41 ---------------- 2 files changed, 55 insertions(+), 41 deletions(-) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 1474d2fbbdb5f842109b0d319e7f16388720bff9..aa127651ef083ee506c2cad38b1af16ceaaab13d 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -236,6 +236,61 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if external and step_one: return self.rv + if len(deployer.instance.tomcat_instance_subsystems()) < 2: + + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], + deployer.mdict['pki_pin'], pin_sans_token=True) + + # only create a self signed cert for a new instance + # + # NOTE: ALWAYS create the temporary sslserver certificate + # in the software DB regardless of whether the + # instance will utilize 'softokn' or an HSM + # + rv = deployer.certutil.verify_certificate_exists( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + password_file=deployer.mdict['pki_shared_pfile']) + + if not rv: + + # note: in the function below, certutil is used to generate + # the request for the self signed cert. The keys are generated + # by NSS, which does not actually use the data in the noise + # file, so it does not matter what is in this file. Certutil + # still requires it though, otherwise it waits for keyboard + # input + with open( + deployer.mdict['pki_self_signed_noise_file'], 'w') as f: + f.write("not_so_random_data") + + deployer.certutil.generate_self_signed_certificate( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + deployer.mdict['pki_self_signed_subject'], + deployer.mdict['pki_self_signed_serial_number'], + deployer.mdict['pki_self_signed_validity_period'], + deployer.mdict['pki_self_signed_issuer_name'], + deployer.mdict['pki_self_signed_trustargs'], + deployer.mdict['pki_self_signed_noise_file'], + password_file=deployer.mdict['pki_shared_pfile']) + + # Delete the temporary 'noise' file + deployer.file.delete( + deployer.mdict['pki_self_signed_noise_file']) + + # Always delete the temporary 'pfile' + deployer.file.delete(deployer.mdict['pki_shared_pfile']) + # Start/Restart this Tomcat PKI Process # Optionally prepare to enable a java debugger # (e. g. - 'eclipse'): diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index a567b7cdf6ef164b60b9924412388892cbb02efa..ed8c0ce0981f2d4c09b9cabebaeabf4bfd348d2f 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -128,47 +128,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): no_user_certs=True) if len(deployer.instance.tomcat_instance_subsystems()) < 2: - # only create a self signed cert for a new instance - # - # NOTE: ALWAYS create the temporary sslserver certificate - # in the software DB regardless of whether the - # instance will utilize 'softokn' or an HSM - # - rv = deployer.certutil.verify_certificate_exists( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - password_file=deployer.mdict['pki_shared_pfile']) - if not rv: - # note: in the function below, certutil is used to generate - # the request for the self signed cert. The keys are generated - # by NSS, which does not actually use the data in the noise - # file, so it does not matter what is in this file. Certutil - # still requires it though, otherwise it waits for keyboard - # input - with open( - deployer.mdict['pki_self_signed_noise_file'], 'w') as f: - f.write("not_so_random_data") - deployer.certutil.generate_self_signed_certificate( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - deployer.mdict['pki_self_signed_subject'], - deployer.mdict['pki_self_signed_serial_number'], - deployer.mdict['pki_self_signed_validity_period'], - deployer.mdict['pki_self_signed_issuer_name'], - deployer.mdict['pki_self_signed_trustargs'], - deployer.mdict['pki_self_signed_noise_file'], - password_file=deployer.mdict['pki_shared_pfile']) - # Delete the temporary 'noise' file - deployer.file.delete( - deployer.mdict['pki_self_signed_noise_file']) # Check to see if a secure connection is being used for the DS if config.str2bool(deployer.mdict['pki_ds_secure_connection']): -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
