From 01623f70d85065d48433d26e4d42c885a49989e8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Sep 30 2014 06:51:21 +0000 Subject: Allow choosing CA-less server certificates by name Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare and --cert-name option to ipa-server-certinstall. The options allows choosing a particular certificate and private key from PKCS#12 files by its friendly name. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin --- diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 331b08d..b827dfe 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -247,6 +247,15 @@ def parse_options(): help="The password to unlock the Kerberos KDC private key") cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True, help=SUPPRESS_HELP) + cert_group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name", + metavar="NAME", + help="Name of the Directory Server SSL certificate to install") + cert_group.add_option("--http-cert-name", dest="http_cert_name", + metavar="NAME", + help="Name of the Apache Server SSL certificate to install") + cert_group.add_option("--pkinit-cert-name", dest="pkinit_cert_name", + metavar="NAME", + help="Name of the Kerberos KDC SSL certificate to install") cert_group.add_option("--ca-cert-file", dest="ca_cert_files", action="append", metavar="FILE", help="File containing CA certificates for the service certificate files") @@ -926,7 +935,7 @@ def main(): http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12( cert_files=options.http_cert_files, key_password=options.http_pin, - key_nickname=None, + key_nickname=options.http_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) http_pkcs12_info = (http_pkcs12_file.name, http_pin) @@ -942,7 +951,7 @@ def main(): dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12( cert_files=options.dirsrv_cert_files, key_password=options.dirsrv_pin, - key_nickname=None, + key_nickname=options.dirsrv_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) @@ -958,7 +967,7 @@ def main(): pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12( cert_files=options.pkinit_cert_files, key_password=options.pkinit_pin, - key_nickname=None, + key_nickname=options.pkinit_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index fc8bf83..a0d47c9 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -53,6 +53,15 @@ The password to unlock the Apache Server private key \fB\-\-pkinit\-pin\fR=\fIPIN\fR The password to unlock the Kerberos KDC private key .TP +\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR +Name of the Directory Server SSL certificate to install +.TP +\fB\-\-http\-cert\-name\fR=\fINAME\fR +Name of the Apache Server SSL certificate to install +.TP +\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR +Name of the Kerberos KDC SSL certificate to install +.TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password .TP diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 index a5cb4bb..d23bbd4 100644 --- a/install/tools/man/ipa-server-certinstall.1 +++ b/install/tools/man/ipa-server-certinstall.1 @@ -40,6 +40,9 @@ Install the certificate in the Apache Web Server \fB\-\-pin\fR=\fIPIN\fR The password to unlock the private key .TP +\fB\-\-cert\-name\fR=\fINAME\fR +Name of the certificate to install +.TP \fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR Directory Manager password .SH "EXIT STATUS" diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 0bd5968..582108e 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -111,6 +111,15 @@ The password to unlock the Apache Server private key \fB\-\-pkinit\-pin\fR=\fIPIN\fR The password to unlock the Kerberos KDC private key .TP +\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR +Name of the Directory Server SSL certificate to install +.TP +\fB\-\-http\-cert\-name\fR=\fINAME\fR +Name of the Apache Server SSL certificate to install +.TP +\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR +Name of the Kerberos KDC SSL certificate to install +.TP \fB\-\-ca\-cert\-file\fR=\fIFILE\fR File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files. .TP diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 8811080..cbd8df2 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -108,6 +108,15 @@ class ReplicaPrepare(admintool.AdminTool): help="The password to unlock the Kerberos KDC private key") group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True, help=SUPPRESS_HELP) + group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name", + metavar="NAME", + help="Name of the Directory Server SSL certificate to install") + group.add_option("--http-cert-name", dest="http_cert_name", + metavar="NAME", + help="Name of the Apache Server SSL certificate to install") + group.add_option("--pkinit-cert-name", dest="pkinit_cert_name", + metavar="NAME", + help="Name of the Kerberos KDC SSL certificate to install") parser.add_option_group(group) def validate_options(self): @@ -262,7 +271,8 @@ class ReplicaPrepare(admintool.AdminTool): raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( - options.http_cert_files, options.http_pin, None) + options.http_cert_files, options.http_pin, + options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin @@ -275,7 +285,8 @@ class ReplicaPrepare(admintool.AdminTool): raise admintool.ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( - options.dirsrv_cert_files, options.dirsrv_pin, None) + options.dirsrv_cert_files, options.dirsrv_pin, + options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin @@ -288,7 +299,8 @@ class ReplicaPrepare(admintool.AdminTool): raise admintool.ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12( - options.pkinit_cert_files, options.pkinit_pin, None) + options.pkinit_cert_files, options.pkinit_pin, + options.pkinit_cert_name) self.pkinit_pkcs12_file = pkinit_pkcs12_file self.pkinit_pin = pkinit_pin diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 1744a6e..9165ac1 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -61,6 +61,10 @@ class ServerCertInstall(admintool.AdminTool): dest="pin", help=optparse.SUPPRESS_HELP) parser.add_option( + "--cert-name", + dest="cert_name", metavar="NAME", + help="Name of the certificate to install") + parser.add_option( "-p", "--dirman-password", dest="dirman_password", help="Directory Manager password") @@ -155,7 +159,7 @@ class ServerCertInstall(admintool.AdminTool): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, key_password=pkcs12_passwd, - key_nickname=None, + key_nickname=self.options.cert_name, ca_cert_files=[CACERT], host_name=api.env.host)