def print_system_cert(cert, show_all=False): print(' Cert ID: %s' % cert['id']) print(' Nickname: %s' % cert['nickname']) print(' Token: %s' % cert['token']) serial_number = cert.get('serial_number') if serial_number: print(' Serial Number: %s' % hex(serial_number)) subject = cert.get('subject') if subject: print(' Subject DN: %s' % subject) issuer = cert.get('issuer') if issuer: print(' Issuer DN: %s' % issuer) not_before = cert.get('not_before') if not_before: print(' Not Valid Before: %s' % CertCLI.convert_millis_to_date(not_before)) not_after = cert.get('not_after') if not_after: print(' Not Valid After: %s' % CertCLI.convert_millis_to_date(not_after)) if show_all: print(' Certificate: %s' % cert['data']) print(' Request: %s' % cert['request'])
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.usage() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None append = False include_trust_flags = True include_key = True include_chain = True debug = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--debug': debug = True elif o == '--help': self.usage() sys.exit() else: self.print_message('ERROR: unknown option ' + o) self.usage() sys.exit(1) if len(args) < 1: print('ERROR: missing cert ID') self.usage() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): print('ERROR: missing output file') self.usage() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() subsystem_name = None cert_tag = cert_id if cert_id != 'sslserver' and cert_id != 'subsystem': # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split temp_cert_identify = cert_id.split('_', 1) subsystem_name = temp_cert_identify[0] cert_tag = temp_cert_identify[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance.' '%s.' % (subsystem_name, instance_name)) sys.exit(1) nssdb = instance.open_nssdb() try: cert = subsystem.get_subsystem_cert(cert_tag) if not cert: print('ERROR: missing %s certificate' % cert_id) self.usage() sys.exit(1) if cert_file: if self.verbose: print('Exporting %s certificate into %s.' % (cert_id, cert_file)) cert_data = cert.get('data', None) if cert_data is None: print("ERROR: Unable to find certificate data for %s" % cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: if self.verbose: print('Exporting %s CSR into %s.' % (cert_id, csr_file)) cert_request = cert.get('request', None) if cert_request is None: print("ERROR: Unable to find certificate request for %s" % cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: if self.verbose: print('Exporting %s certificate and key into %s.' % (cert_id, pkcs12_file)) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass( prompt='Enter password for PKCS #12 file: ') nicknames = [] nicknames.append(cert['nickname']) nssdb.export_pkcs12(pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain, debug=debug) finally: nssdb.close()
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'friendly-name=', 'cert-encryption=', 'key-encryption=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None friendly_name = None cert_encryption = None key_encryption = None append = False include_trust_flags = True include_key = True include_chain = True for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--friendly-name': friendly_name = a elif o == '--cert-encryption': cert_encryption = a elif o == '--key-encryption': key_encryption = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): logger.error('missing output file') self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.get_subsystems()[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error( 'No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) if not cert: logger.error('missing %s certificate', cert_id) self.print_help() sys.exit(1) if cert_id == 'sslserver': full_name = instance.get_sslserver_cert_nickname() i = full_name.find(':') if i < 0: nickname = full_name token = None else: nickname = full_name[i + 1:] token = full_name[:i] else: # get nickname and token from CS.cfg nickname = cert['nickname'] token = cert['token'] logger.info('Nickname: %s', nickname) logger.info('Token: %s', token) nssdb = instance.open_nssdb(token) try: if cert_file: logger.info('Exporting %s certificate into %s.', cert_id, cert_file) cert_data = cert.get('data') if cert_data is None: logger.error('Unable to find certificate data for %s', cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: logger.info('Exporting %s CSR into %s.', cert_id, csr_file) cert_request = cert.get('request') if cert_request is None: logger.error('Unable to find certificate request for %s', cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: logger.info('Exporting %s certificate and key into %s.', cert_id, pkcs12_file) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') logger.info('Friendly name: %s', friendly_name) nssdb.export_cert( nickname=nickname, pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, friendly_name=friendly_name, cert_encryption=cert_encryption, key_encryption=key_encryption, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain) finally: nssdb.close()
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'friendly-name=', 'cert-encryption=', 'key-encryption=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None friendly_name = None cert_encryption = None key_encryption = None append = False include_trust_flags = True include_key = True include_chain = True for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--friendly-name': friendly_name = a elif o == '--cert-encryption': cert_encryption = a elif o == '--key-encryption': key_encryption = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): logger.error('missing output file') self.print_help() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name, cert_tag = server.PKIServer.split_cert_id(cert_id) # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error( 'No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) if not cert: logger.error('missing %s certificate', cert_id) self.print_help() sys.exit(1) if cert_id == 'sslserver': # get nickname and token from serverCertNick.conf full_name = instance.get_sslserver_cert_nickname() i = full_name.find(':') if i < 0: nickname = full_name token = None else: nickname = full_name[i + 1:] token = full_name[:i] else: # get nickname and token from CS.cfg nickname = cert['nickname'] token = cert['token'] logger.info('Nickname: %s', nickname) logger.info('Token: %s', token) nssdb = instance.open_nssdb(token) try: if cert_file: logger.info('Exporting %s certificate into %s.', cert_id, cert_file) cert_data = cert.get('data', None) if cert_data is None: logger.error('Unable to find certificate data for %s', cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: logger.info('Exporting %s CSR into %s.', cert_id, csr_file) cert_request = cert.get('request', None) if cert_request is None: logger.error('Unable to find certificate request for %s', cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: logger.info('Exporting %s certificate and key into %s.', cert_id, pkcs12_file) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') logger.info('Friendly name: %s', friendly_name) nssdb.export_cert( nickname=nickname, pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, friendly_name=friendly_name, cert_encryption=cert_encryption, key_encryption=key_encryption, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain, debug=self.debug) finally: nssdb.close()