def enroll_with_zone_update(conn, zone, cn=None):
request = CertificateRequest(common_name=cn, origin="Python-SDK ECDSA")
zc = conn.read_zone_conf(zone)
request.update_from_zone_config(zc)
conn.request_cert(request, zone)
cert = conn.retrieve_cert(request)
return cert, request.cert_guid
def enroll(self):
request = CertificateRequest(common_name=self.common_name,
key_password=self.privatekey_passphrase,
origin="Red Hat Ansible")
zone_config = self.conn.read_zone_conf(self.zone)
request.update_from_zone_config(zone_config)
use_existed_key = False
if self._check_private_key_correct() and not self.privatekey_reuse:
private_key = to_text(open(self.privatekey_filename, "rb").read())
request.private_key = private_key
use_existed_key = True
elif self.privatekey_type:
key_type = {"RSA": "rsa", "ECDSA": "ec", "EC": "ec"}. \
get(self.privatekey_type)
if not key_type:
self.module.fail_json(msg=("Failed to determine key type: %s."
"Must be RSA or ECDSA" %
self.privatekey_type))
if key_type == "rsa":
request.key_type = KeyType(KeyType.RSA, self.privatekey_size)
elif key_type == "ecdsa" or "ec":
request.key_type = KeyType(KeyType.ECDSA,
self.privatekey_curve)
else:
self.module.fail_json(msg=("Failed to determine key type: %s."
"Must be RSA or ECDSA" %
self.privatekey_type))
request.ip_addresses = self.ip_addresses
request.san_dns = self.san_dns
request.email_addresses = self.email_addresses
request.chain_option = self.module.params['chain_option']
try:
csr = open(self.csr_path, "rb").read()
request.csr = csr
except Exception as e:
self.module.log(msg=str(e))
pass
self.conn.request_cert(request, self.zone)
print(request.csr)
while True:
cert = self.conn.retrieve_cert(request) # vcert.Certificate
if cert:
break
else:
time.sleep(5)
if self.chain_filename:
self._atomic_write(self.chain_filename, "\n".join(cert.chain))
self._atomic_write(self.certificate_filename, cert.cert)
else:
self._atomic_write(self.certificate_filename, cert.full_chain)
if not use_existed_key:
self._atomic_write(self.privatekey_filename,
request.private_key_pem)
def enroll_with_zone_update(conn, zone, cn=None):
request = CertificateRequest(common_name=cn, origin="Python-SDK ECDSA")
zc = conn.read_zone_conf(zone)
request.update_from_zone_config(zc)
conn.request_cert(request, zone)
while True:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
return cert
def test_update_request_with_zone_config(self):
r = CertificateRequest()
z = ZoneConfig(organization=CertField("Venafi"),
organizational_unit=CertField(""),
country=CertField(""),
province=CertField(""),
locality=CertField(""),
policy=None,
key_type=None)
r.update_from_zone_config(z)
self.assertEqual(r.organization, "Venafi")
r = CertificateRequest(organization="Test")
r.update_from_zone_config(z)
self.assertEqual(r.organization, "Test")
z = ZoneConfig(organization=CertField("Venafi", locked=True),
organizational_unit=CertField(""),
country=CertField(""),
province=CertField(""),
locality=CertField(""),
policy=None,
key_type=None)
r.update_from_zone_config(z)
self.assertEqual(r.organization, "Venafi")
def main():
# Get credentials from environment variables
token = environ.get('CLOUD_APIKEY')
user = environ.get('TPP_USER')
password = environ.get('TPP_PASSWORD')
url = environ.get('TPP_URL')
zone = environ.get("ZONE")
fake = environ.get('FAKE')
if fake:
# If fake is true, test connection will be used.
conn = Connection(fake=True)
else:
# Connection will be chosen automatically based on which arguments are passed.
# If token is passed Venafi Cloud connection will be used.
# If user, password, and URL Venafi Platform (TPP) will be used.
conn = Connection(url=url,
token=token,
user=user,
password=password,
http_request_kwargs={"verify": False})
# If your TPP server certificate signed with your own CA, or available only via proxy, you can specify
# a trust bundle using requests vars:
#conn = Connection(url=url, token=token, user=user, password=password,
# http_request_kwargs={"verify": "/path-to/bundle.pem"})
request = CertificateRequest(common_name=randomword(10) +
".venafi.example.com")
request.san_dns = [
"www.client.venafi.example.com", "ww1.client.venafi.example.com"
]
if not isinstance(conn, CloudConnection):
# Venafi Cloud doesn't support email or IP SANs in CSR
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
# Specify ordering certificates in chain. Root can be "first" or "last". By default it last. You also can
# specify "ignore" to ignore chain (supported only for Platform).
# configure key type, RSA example
# request.key_type = KeyType(KeyType.RSA, 4096)
# or set it to ECDSA
request.key_type = KeyType(KeyType.ECDSA, "p521")
# Update certificate request from zone
zone_config = conn.read_zone_conf(zone)
request.update_from_zone_config(zone_config)
conn.request_cert(request, zone)
# and wait for signing
t = time.time() + 300
while time.time() < t:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain, request.private_key_pem, sep="\n")
# and save into file
f = open("/tmp/cert.pem", "w")
f.write(cert.full_chain)
f = open("/tmp/cert.key", "w")
f.write(request.private_key_pem)
f.close()
if not isinstance(conn, FakeConnection):
# fake connection doesn`t support certificate renewing
print("Trying to renew certificate")
new_request = CertificateRequest(cert_id=request.id, )
conn.renew_cert(new_request)
while True:
new_cert = conn.retrieve_cert(new_request)
if new_cert:
break
else:
time.sleep(5)
print(new_cert.cert, new_request.private_key_pem, sep="\n")
fn = open("/tmp/new_cert.pem", "w")
fn.write(new_cert.cert)
fn = open("/tmp/new_cert.key", "w")
fn.write(new_request.private_key_pem)
fn.close()
if isinstance(conn, TPPConnection):
revocation_req = RevocationRequest(req_id=request.id,
comments="Just for test")
print("Revoke", conn.revoke_cert(revocation_req))
print("Trying to sign CSR")
csr_pem = open("example-csr.pem", "rb").read()
csr_request = CertificateRequest(csr=csr_pem.decode())
# zone_config = conn.read_zone_conf(zone)
# request.update_from_zone_config(zone_config)
conn.request_cert(csr_request, zone)
# and wait for signing
while True:
cert = conn.retrieve_cert(csr_request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain)
# and save into file
f = open("/tmp/signed-cert.pem", "w")
f.write(cert.full_chain)
f.close()
def main():
# Get credentials from environment variables
url = environ.get('TPP_TOKEN_URL')
user = environ.get('TPP_USER')
password = environ.get('TPP_PASSWORD')
zone = environ.get('TPP_ZONE')
server_trust_bundle = environ.get('TPP_TRUST_BUNDLE')
# Connection will be chosen automatically based on which arguments are passed.
# If token is passed Venafi Cloud connection will be used.
# If user, password, and URL Venafi Platform (TPP) will be used.
# If your TPP server certificate signed with your own CA, or available only via proxy, you can specify
# a trust bundle using http_request_kwargs.
conn = venafi_connection(
url=url,
user=user,
password=password,
http_request_kwargs={'verify': server_trust_bundle})
# Build a Certificate request
request = CertificateRequest(
common_name=f"{random_word(10)}.venafi.example.com")
# Set the request to use a service generated CSR
request.csr_origin = CSR_ORIGIN_SERVICE
# Include some Subject Alternative Names
request.san_dns = [
"www.dns.venafi.example.com", "ww1.dns.venafi.example.com"
]
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
request.uniform_resource_identifiers = [
"http://wgtest.uri.com", "https://ragnartest.uri.com"
]
request.user_principal_names = [
"*****@*****.**", "*****@*****.**"
]
# Specify whether or not to return the private key. It is False by default.
# A password should be defined for the private key if include_private_key is True.
request.include_private_key = True
request.key_password = '******'
# Specify ordering certificates in chain. Root can be CHAIN_OPTION_FIRST ("first")
# or CHAIN_OPTION_LAST ("last"). By default it is CHAIN_OPTION_LAST.
# You can also specify CHAIN_OPTION_IGNORE ("ignore") to ignore chain (supported only for TPP).
# request.chain_option = CHAIN_OPTION_FIRST
# To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs
# request.custom_fields = [
# CustomField(name="Cost Center", value="ABC123"),
# CustomField(name="Environment", value="Production"),
# CustomField(name="Environment", value="Staging")
# ]
#
# Update certificate request from zone.
zone_config = conn.read_zone_conf(zone)
request.update_from_zone_config(zone_config)
# Request the certificate.
conn.request_cert(request, zone)
# Wait for the certificate to be retrieved.
# This operation may take some time to return, as it waits until the certificate is ISSUED or it timeout.
# Timeout is 180s by default. Can be changed using:
# request.timeout = 300
cert = conn.retrieve_cert(request)
# Print the certificate
print(cert.full_chain)
# Save it into a file
f = open("./cert.pem", "w")
f.write(cert.full_chain)
f.close()
print("Trying to renew certificate")
new_request = CertificateRequest(cert_id=request.id)
# The renewal request should use a service generated CSR as well
# This may not be necessary and depends entirely on the settings of your Policy/Zone
new_request.csr_origin = CSR_ORIGIN_SERVICE
conn.renew_cert(new_request)
new_cert = conn.retrieve_cert(new_request)
print(new_cert.cert)
fn = open("./new_cert.pem", "w")
fn.write(new_cert.cert)
fn.close()
def main():
# Get credentials from environment variables
user = environ.get('TPP_USER')
password = environ.get('TPP_PASSWORD')
url = environ.get('TPP_TOKEN_URL')
zone = environ.get("ZONE")
fake = environ.get('FAKE')
if fake:
# If fake is true, test connection will be used.
conn = Connection(fake=True)
else:
# If user and password are passed, you can get a new token from them.
# If access_token and refresh_token are passed, there is no need for the username and password.
# If only access_token is passed, the Connection will fail when token expires, as there is no way to refresh it.
conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={"verify": False})
# If your TPP server certificate signed with your own CA, or available only via proxy, you can specify
# a trust bundle using requests vars:
# conn = token_connection(url=url, user=user, password=password,
# http_request_kwargs={"verify": "/path-to/bundle.pem"})
request = CertificateRequest(common_name=random_word(10) + ".venafi.example.com")
request.san_dns = [u"www.client.venafi.example.com", u"ww1.client.venafi.example.com"]
request.email_addresses = [u"*****@*****.**", u"*****@*****.**"]
request.ip_addresses = [u"127.0.0.1", u"192.168.1.1"]
request.uniform_resource_identifiers = [u"http://wgtest.com",u"https://ragnartest.com"]
request.user_principal_names = [u"*****@*****.**", u"*****@*****.**"]
# Specify ordering certificates in chain. Root can be "first" or "last". By default its last. You also can
# specify "ignore" to ignore chain (supported only for Platform).
# To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs
#request.custom_fields = [
# CustomField(name="Cost Center", value="ABC123"),
# CustomField(name="Environment", value="Production"),
# CustomField(name="Environment", value="Staging")
#]
# configure key type, RSA example
request.key_type = KeyType(KeyType.RSA, 2048)
# or set it to ECDSA
#request.key_type = KeyType(KeyType.ECDSA, "p521")
# Update certificate request from zone
zone_config = conn.read_zone_conf(zone)
request.update_from_zone_config(zone_config)
conn.request_cert(request, zone)
# and wait for signing
t = time.time() + 300
while time.time() < t:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain, request.private_key_pem, sep="\n")
# and save into file
f = open("/tmp/cert.pem", "w")
f.write(cert.full_chain)
f = open("/tmp/cert.key", "w")
f.write(request.private_key_pem)
f.close()
if not isinstance(conn, FakeConnection):
# fake connection doesn`t support certificate renewing
print("Trying to renew certificate")
new_request = CertificateRequest(
cert_id=request.id,
)
conn.renew_cert(new_request)
while True:
new_cert = conn.retrieve_cert(new_request)
if new_cert:
break
else:
time.sleep(5)
print(new_cert.cert, new_request.private_key_pem, sep="\n")
fn = open("/tmp/new_cert.pem", "w")
fn.write(new_cert.cert)
fn = open("/tmp/new_cert.key", "w")
fn.write(new_request.private_key_pem)
fn.close()
if isinstance(conn, (TPPConnection or TPPTokenConnection)):
revocation_req = RevocationRequest(req_id=request.id, comments="Just for test")
print("Revoke", conn.revoke_cert(revocation_req))
print("Trying to sign CSR")
csr_pem = open("example-csr.pem", "rb").read()
csr_request = CertificateRequest(csr=csr_pem.decode())
# zone_config = conn.read_zone_conf(zone)
# request.update_from_zone_config(zone_config)
conn.request_cert(csr_request, zone)
# and wait for signing
while True:
cert = conn.retrieve_cert(csr_request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain)
# and save into file
f = open("/tmp/signed-cert.pem", "w")
f.write(cert.full_chain)
f.close()
def main():
# Get credentials from environment variables
token = environ.get('CLOUD_APIKEY')
user = environ.get('TPP_USER')
password = environ.get('TPP_PASSWORD')
url = environ.get('TPP_URL')
zone = environ.get("ZONE")
# connection will be chosen automatically based on what arguments are passed,
# If token is passed Venafi Cloud connection will be used. if user, password, and URL Venafi Platform (TPP) will
# be used. If none, test connection will be used.
conn = Connection(url=url, token=token, user=user, password=password, http_request_kwargs={"verify": False})
# If your TPP server certificate signed with your own CA or available only via proxy you can specify requests vars
# conn = Connection(url=url, token=token, user=user, password=password,
# http_request_kwargs={"verify": "/path/to/trust/bundle.pem"})
request = CertificateRequest(common_name=randomword(10) + u".venafi.example.com")
request.san_dns = [u"www.client.venafi.example.com", u"ww1.client.venafi.example.com"]
if not isinstance(conn, CloudConnection):
# Venafi Cloud doesn't support email or IP SANs in CSR
request.email_addresses = [u"*****@*****.**", u"*****@*****.**"]
request.ip_addresses = [u"127.0.0.1", u"192.168.1.1"]
# Specify ordering certificates in chain. Root can be "first" or "last". By default it last. You also can
# specify "ignore" to ignore chain (supported only for Platform).
# To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs
#request.custom_fields = [
# CustomField(name="Cost Center", value="ABC123"),
# CustomField(name="Environment", value="Production"),
# CustomField(name="Environment", value="Staging")
#]
# Update certificate request from zone
zone_config = conn.read_zone_conf(zone)
request.update_from_zone_config(zone_config)
conn.request_cert(request, zone)
# and wait for signing
while True:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print("\n".join([cert.full_chain, request.private_key_pem]))
# and save into file
f = open("/tmp/cert.pem", "w")
f.write(cert.full_chain)
f = open("/tmp/cert.key", "w")
f.write(request.private_key_pem)
f.close()
if not isinstance(conn, FakeConnection):
# fake connection doesn`t support certificate renewing
print("Trying to renew certificate")
new_request = CertificateRequest(
cert_id=request.id,
)
conn.renew_cert(new_request)
while True:
new_cert = conn.retrieve_cert(new_request)
if new_cert:
break
else:
time.sleep(5)
print(new_cert.cert)
fn = open("/tmp/new_cert.pem", "w")
fn.write(new_cert.cert)
if isinstance(conn, TPPConnection):
revocation_req = RevocationRequest(req_id=request.id,
comments="Just for test")
print("Revoke", conn.revoke_cert(revocation_req))
def enroll(self):
LOG.info("Running enroll")
common_name = self.properties[self.CN]
sans = self.properties[self.SANs]
privatekey_passphrase = self.properties[self.KEY_PASSWORD]
privatekey_type = self.properties[self.KEY_TYPE]
curve = self.properties[self.KEY_CURVE]
key_size = self.properties[self.KEY_LENGTH]
zone = self.properties[self.ZONE]
LOG.info("Reading zone config from %s", zone)
zone_config = self.conn.read_zone_conf(zone)
request = CertificateRequest(
common_name=common_name,
origin="OpenStack"
)
request.update_from_zone_config(zone_config)
ip_addresses = []
email_addresses = []
san_dns = []
if len(sans) > 0:
LOG.info("Configuring SANs from list %s", sans)
for n in sans:
if n.lower().startswith(("ip:", "ip address:")):
ip = n.split(":", 1)[1]
LOG.info("Adding ip %s to ip_addresses", ip)
ip_addresses.append(ip)
elif n.lower().startswith("dns:"):
ns = n.split(":", 1)[1]
LOG.info("Adding domain name %s to san_dns", ns)
san_dns.append(ns)
elif n.lower().startswith("email:"):
mail = n.split(":", 1)[1]
LOG.info("Adding mail %s to email_addresses", mail)
email_addresses.append(mail)
else:
raise Exception("Failed to determine extension type: %s" % n)
request.ip_addresses = ip_addresses
request.san_dns = san_dns
request.email_addresses = email_addresses
LOG.info("Request is %s, %s, %s", request.ip_addresses, request.san_dns, request.email_addresses)
if privatekey_passphrase is not None:
request.key_password = privatekey_passphrase
if privatekey_type:
request.key_type = KeyType(privatekey_type, key_size or curve)
self.conn.request_cert(request, zone)
t = time.time()
while True:
LOG.info("Trying to retrieve certificate")
cert = self.conn.retrieve_cert(request) # type: vcert.Certificate
if cert or time.time() > t + 600:
break
else:
time.sleep(5)
LOG.info("Got certificate: %s", cert.cert)
LOG.info("Got chain: %s", cert.chain)
return {self.CHAIN_ATTR: cert.chain, self.CERTIFICATE_ATTR: cert.cert,
self.PRIVATE_KEY_ATTR: request.private_key_pem, self.CSR_ATTR: request.csr}
