def install_kdc_cert(self):
ca_cert_file = paths.CA_BUNDLE_PEM
pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
cert_files=self.args,
key_password=self.options.pin,
key_nickname=self.options.cert_name,
ca_cert_files=[ca_cert_file],
realm_name=api.env.realm)
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
# Check that the ca_cert is known and trusted
with tempfile.NamedTemporaryFile() as temp:
certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)
kdc_cert = x509.load_certificate_from_file(temp.name)
ca_certs = x509.load_certificate_list_from_file(ca_cert_file)
try:
verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
except ValueError as e:
raise admintool.ScriptError(
"Peer's certificate issuer is not trusted (%s). "
"Please run ipa-cacert-manage install and ipa-certupdate "
"to install the CA certificate." % str(e))
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=paths.KDC_CERT)
certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
ipa_ca_cert = cdb.get_cert_from_db(
get_ca_nickname(api.env.realm),
pem=False)
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
certmonger.start_tracking(
(paths.KDC_CERT, paths.KDC_KEY),
storage='FILE',
profile='KDCs_PKINIT_Certs')
except RuntimeError as e:
raise admintool.ScriptError(str(e))
krb = krbinstance.KrbInstance()
krb.init_info(
realm_name=api.env.realm,
host_name=api.env.host,
)
krb.pkinit_enable()
def replace_key_cert_files(
self, cert, key, cert_fname, key_fname, ca_cert, passwd_fname=None,
profile=None, cmgr_post_command=None
):
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=cert_fname)
pkey_passwd = None
if passwd_fname is not None:
with open(passwd_fname, 'rb') as f:
pkey_passwd = f.read()
x509.write_certificate(cert, cert_fname)
x509.write_pem_private_key(key, key_fname, pkey_passwd)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
ipa_ca_cert = cdb.get_cert_from_db(
get_ca_nickname(api.env.realm))
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
req_id = certmonger.start_tracking(
(cert_fname, key_fname),
pinfile=passwd_fname,
storage='FILE',
post_command=cmgr_post_command
)
return req_id
except RuntimeError as e:
raise admintool.ScriptError(str(e))
return None
def configure_renewal(self):
""" Configure certmonger to renew system certs """
pin = self.__get_pin()
for nickname in self.tracking_reqs:
try:
certmonger.start_tracking(
certpath=self.nss_db,
ca='dogtag-ipa-ca-renew-agent',
nickname=nickname,
pin=pin,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % nickname,
)
except RuntimeError as e:
logger.error(
"certmonger failed to start tracking certificate: %s", e)
def track_servercert(self):
"""
Specifically do not tell certmonger to restart the CA. This will be
done by the renewal script, renew_ca_cert once all the subsystem
certificates are renewed.
"""
pin = self.__get_pin()
try:
certmonger.start_tracking(
certpath=self.nss_db,
ca='dogtag-ipa-ca-renew-agent',
nickname=self.server_cert_name,
pin=pin,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % self.server_cert_name)
except RuntimeError as e:
logger.error(
"certmonger failed to start tracking certificate: %s", e)
def track_servercert(self):
"""
Specifically do not tell certmonger to restart the CA. This will be
done by the renewal script, renew_ca_cert once all the subsystem
certificates are renewed.
"""
pin = self.__get_pin()
try:
certmonger.start_tracking(
certpath=self.nss_db,
ca='dogtag-ipa-ca-renew-agent',
nickname=self.server_cert_name,
pin=pin,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % self.server_cert_name)
except RuntimeError as e:
logger.error(
"certmonger failed to start tracking certificate: %s", e)
def configure_renewal(self):
""" Configure certmonger to renew system certs """
pin = self.__get_pin(self.token_name)
for nickname in self.tracking_reqs:
try:
certmonger.start_tracking(
certpath=self.nss_db,
ca='dogtag-ipa-ca-renew-agent',
nickname=nickname,
token_name=self.token_name,
pin=pin,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % nickname,
)
except RuntimeError as e:
logger.error(
"certmonger failed to start tracking certificate: %s", e)
def configure_renewal(self):
""" Configure certmonger to renew system certs """
for nickname in self.tracking_reqs:
token_name = self.get_token_name(nickname)
pin = self.__get_pin(token_name)
try:
certmonger.start_tracking(
certpath=self.nss_db,
ca=RENEWAL_CA_NAME,
nickname=nickname,
token_name=token_name,
pin=pin,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % nickname,
profile=self.tracking_reqs[nickname],
)
except RuntimeError as e:
logger.error(
"certmonger failed to start tracking certificate: %s", e)
def start_tracking_certificates(self):
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if certs.is_ipa_issued_cert(api, cert):
request_id = certmonger.start_tracking(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
post_command='restart_httpd', storage='FILE'
)
subject = str(DN(cert.subject))
certmonger.add_principal(request_id, self.principal)
certmonger.add_subject(request_id, subject)
else:
logger.debug("Will not track HTTP server cert %s as it is not "
"issued by IPA", cert.subject)
def start_tracking_certificates(self):
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if certs.is_ipa_issued_cert(api, cert):
request_id = certmonger.start_tracking(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
post_command='restart_httpd',
storage='FILE')
subject = str(DN(cert.subject))
certmonger.add_principal(request_id, self.principal)
certmonger.add_subject(request_id, subject)
else:
logger.debug(
"Will not track HTTP server cert %s as it is not "
"issued by IPA", cert.subject)
def track_server_cert(self, nickname, principal, password_file=None, command=None):
"""
Tell certmonger to track the given certificate nickname.
"""
try:
request_id = certmonger.start_tracking(
self.secdir, nickname=nickname, pinfile=password_file,
post_command=command)
except RuntimeError as e:
root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
return
cert = self.get_cert_from_db(nickname)
cert_obj = x509.load_certificate(cert)
subject = str(DN(cert_obj.subject))
certmonger.add_principal(request_id, principal)
certmonger.add_subject(request_id, subject)
def track_server_cert(self, nickname, principal, password_file=None, command=None):
"""
Tell certmonger to track the given certificate nickname.
"""
try:
request_id = certmonger.start_tracking(
self.secdir, nickname=nickname, pinfile=password_file,
post_command=command)
except RuntimeError as e:
logger.error("certmonger failed starting to track certificate: %s",
str(e))
return
cert = self.get_cert_from_db(nickname)
subject = str(DN(cert.subject))
certmonger.add_principal(request_id, principal)
certmonger.add_subject(request_id, subject)
def start_tracking_certificates(self):
key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if certs.is_ipa_issued_cert(api, cert):
request_id = certmonger.start_tracking(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
post_command='restart_httpd', storage='FILE',
profile=dogtag.DEFAULT_PROFILE,
pinfile=key_passwd_file,
dns=[self.fqdn, f'{IPA_CA_RECORD}.{api.env.domain}'],
)
subject = str(DN(cert.subject))
certmonger.add_principal(request_id, self.principal)
certmonger.add_subject(request_id, subject)
else:
logger.debug("Will not track HTTP server cert %s as it is not "
"issued by IPA", cert.subject)
def track_server_cert(self, nickname, principal, password_file=None, command=None):
"""
Tell certmonger to track the given certificate nickname.
If command is not a full path then it is prefixed with
/usr/lib[64]/ipa/certmonger.
"""
if command is not None and not os.path.isabs(command):
command = paths.CERTMONGER_COMMAND_TEMPLATE % (command)
try:
request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
except RuntimeError as e:
root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
return
cert = self.get_cert_from_db(nickname)
cert_obj = x509.load_certificate(cert)
subject = str(DN(cert_obj.subject))
certmonger.add_principal(request_id, principal)
certmonger.add_subject(request_id, subject)
def track_server_cert(self, nickname, principal, password_file=None, command=None):
"""
Tell certmonger to track the given certificate nickname.
If command is not a full path then it is prefixed with
/usr/lib[64]/ipa/certmonger.
"""
if command is not None and not os.path.isabs(command):
command = paths.CERTMONGER_COMMAND_TEMPLATE % (command)
try:
request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
except RuntimeError as e:
root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
return
cert = self.get_cert_from_db(nickname)
cert_obj = x509.load_certificate(cert)
subject = str(DN(cert_obj.subject))
certmonger.add_principal(request_id, principal)
certmonger.add_subject(request_id, subject)
def replace_key_cert_files(self,
cert,
key,
cert_fname,
key_fname,
ca_cert,
passwd_fname=None,
profile=None,
cmgr_post_command=None):
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=cert_fname)
pkey_passwd = None
if passwd_fname is not None:
with open(passwd_fname, 'rb') as f:
pkey_passwd = f.read()
x509.write_certificate(cert, cert_fname)
x509.write_pem_private_key(key, key_fname, pkey_passwd)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
ipa_ca_cert = cdb.get_cert_from_db(
get_ca_nickname(api.env.realm))
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
req_id = certmonger.start_tracking(
(cert_fname, key_fname),
pinfile=passwd_fname,
storage='FILE',
post_command=cmgr_post_command)
return req_id
except RuntimeError as e:
raise admintool.ScriptError(str(e))
return None
