def run(): parser = get_parser(limit_options=["server_key", "server_cert", "server_csr", "ca_key", "ca_cert", "ca_serial"]) parser = add_hostname_option(parser) (opts, args) = parser.parse_args() hostname = opts.hostname server_key = opts.server_key server_cert = opts.server_cert server_csr = opts.server_csr ca_key = opts.ca_key ca_cert = opts.ca_cert ca_serial = opts.ca_serial if not create_server_key(server_key): print "Failed to create server key" sys.exit(1) if not create_server_csr(server_key, server_csr, hostname): print "Failed to create server csr" sys.exit(1) if not create_server_cert(server_cert, server_csr, ca_cert, ca_key, ca_serial): print "Failed to create server cert" sys.exit(1) print "Server Cert: %s" % (server_cert) print "Server Key: %s" % (server_key) return True
def run(default_install_dir="/etc/pki/splice", httpd_ssl_config_file="/etc/httpd/conf.d/ssl.conf"): parser = get_parser(limit_options=["server_key", "server_cert", "ca_cert"]) #parser.add_option("--install_dir", action="store", # help="Install directory for server SSL cert/key. Default is %s" % (default_install_dir), # default=default_install_dir) (opts, args) = parser.parse_args() server_key = opts.server_key server_cert = opts.server_cert ca_cert = opts.ca_cert #install_dir = opts.install_dir #if not os.path.exists(install_dir): # os.makedirs(install_dir) #installed_server_key = os.path.join(install_dir, os.path.basename(server_key)) #installed_server_cert = os.path.join(install_dir, os.path.basename(server_cert)) #installed_ca_cert = os.path.join(install_dir, os.path.basename(ca_cert)) #if not copy_file(server_key, installed_server_key): # print "Error installing server_key" # sys.exit(1) #if not copy_file(server_cert, installed_server_cert): # print "Error installing server_cert" # sys.exit(1) #if not copy_file(ca_cert, installed_ca_cert): # print "Error installing ca_cert" # sys.exit(1) if not comment_out_ssl_settings(): print "Unable to comment out the existing SSL settings in apache's ssl.conf" sys.exit(1) print "Apache's default ssl settings have been commented out" #if not update_httpd_config(installed_server_key, installed_server_cert, installed_ca_cert): if not update_httpd_config(server_key, server_cert, ca_cert, httpd_ssl_config_file): print "Error updating httpd" sys.exit(1) print "Httpd ssl.conf has been updated" if not restart_httpd(): print "Error restarting httpd" sys.exit(1) return True
def run(): parser = get_parser(limit_options=["ca_key", "ca_cert", "ca_serial"]) (opts, args) = parser.parse_args() ca_key = opts.ca_key ca_cert = opts.ca_cert ca_serial = opts.ca_serial if not create_ca_key(ca_key): print "Failed to create CA key" sys.exit(1) if not create_ca_cert(ca_key, ca_cert): print "Failed to create CA cert" sys.exit(1) if not create_serial(ca_serial): print "Failed to create CA serial file: %s" % (ca_serial) sys.exit(1) print "CA Key: %s" % (ca_key) print "CA Cert: %s" % (ca_cert) return True
client_key, csr) return run_command(cmd) def create_client_cert(client_cert, client_csr, ca_cert, ca_key, extensions, ent_name, ca_serial): cmd = "openssl x509 -req -days 10950 -CA %s -CAkey %s -extfile %s -extensions %s -in %s -out %s -CAserial %s" \ % (ca_cert, ca_key, extensions, ent_name, client_csr, client_cert, ca_serial) if not os.path.exists(ca_serial): cmd = cmd + " -CAcreateserial" return run_command(cmd) if __name__ == "__main__": parser = get_parser(limit_options=[ "client_key", "client_csr", "client_cert", "ca_key", "ca_cert", "ent", "ext", "ca_serial" ]) (opts, args) = parser.parse_args() client_key = opts.client_key client_cert = opts.client_cert client_csr = opts.client_csr ca_key = opts.ca_key ca_cert = opts.ca_cert ent_name = opts.ent extensions = opts.ext ca_serial = opts.ca_serial if not create_client_key(client_key): print "Failed to create client key" sys.exit(1)
return False cmd = "sed -i 's/^SSLCertificateKeyFile.*/SSLCertificateKeyFile %s/' %s" % (server_key, httpd_ssl_confd) if not run_command(cmd): return False #cmd = "sed -i 's/^SSLCACertificateFile.*/SSLCACertificateFile %s/' %s" % (ca_cert, httpd_ssl_confd) #if not run_command(cmd): # return False return True def enable_repo_auth(repo_auth_config="/etc/pulp/repo_auth.conf"): cmd = "sed -i 's/enabled: false/enabled: true/' %s" % (repo_auth_config) return run_command(cmd) if __name__ == "__main__": default_install_dir = "/etc/pki/pulp/content" parser = get_parser(limit_options=["server_key", "server_cert", "ca_cert"]) parser.add_option("--install_dir", action="store", help="Install directory for server SSL cert/key. Default is %s" % (default_install_dir), default=default_install_dir) (opts, args) = parser.parse_args() server_key = opts.server_key server_cert = opts.server_cert ca_cert = opts.ca_cert install_dir = opts.install_dir if not os.path.exists(install_dir): os.makedirs(install_dir) installed_server_key = os.path.join(install_dir, os.path.basename(server_key)) installed_server_cert = os.path.join(install_dir, os.path.basename(server_cert)) installed_ca_cert = os.path.join(install_dir, os.path.basename(ca_cert)) if not copy_file(server_key, installed_server_key):
check_dirs(ca_key_name) cmd = ("openssl req -new -x509 -days 10950 -key %s -out %s -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=Pulp-Root-CA'") % (ca_key_name, ca_cert_name) return run_command(cmd) def create_serial(ca_serial): if not os.path.exists(os.path.dirname(ca_serial)): os.makedirs(os.path.dirname(ca_serial)) f = open(ca_serial, "w") try: f.write("01") finally: f.close() return True if __name__ == "__main__": parser = get_parser(limit_options=["ca_key", "ca_cert", "ca_serial"]) (opts, args) = parser.parse_args() ca_key = opts.ca_key ca_cert = opts.ca_cert ca_serial = opts.ca_serial if not create_ca_key(ca_key): print "Failed to create CA key" sys.exit(1) if not create_ca_cert(ca_key, ca_cert): print "Failed to create CA cert" sys.exit(1) if not create_serial(ca_serial):
#!/usr/bin/env python import sys from base import get_parser, run_command, add_hostname_option if __name__ == "__main__": parser = get_parser(limit_options=["ca_key", "ca_cert", "client_cert", "client_key"]) parser = add_hostname_option(parser) opts, args = parser.parse_args() ca_cert = opts.ca_cert client_cert = opts.client_cert client_key = opts.client_key hostname = opts.hostname url = "https://%s/pulp/repos/repos/pulp/pulp/fedora-15/i386/repodata/repomd.xml" % (hostname) cmd = "curl --cacert %s --cert %s --key %s %s" % (ca_cert, client_cert, client_key, url) result = run_command(cmd) if result: state, out, err = result print "%s" % (out) print "%s" % (err)
status = run_command(cmd) if status: state, out, err = status cert_modulus = out key_modulus = "" cmd = "openssl rsa -noout -modulus -in %s " % (key) status = run_command(cmd) if status: state, out, err = status key_modulus = out if cert_modulus and key_modulus and cert_modulus == key_modulus: return True return False if __name__ == "__main__": parser = get_parser() opts, args = parser.parse_args() ent_key = opts.ent_key ent_cert = opts.ent_cert ca_key = opts.ca_key ca_cert = opts.ca_cert #Check the matching server/key. They should have the same modulus if not check_modulus(ca_key, ca_cert): print 'Error, modulus for "%s" and "%s" are different' % (ca_key,ca_cert) sys.exit(1) if not check_modulus(ent_key, ent_cert): print 'Error, modulus for "%s" and "%s" are different' % (ent_key,ent_cert) sys.exit(1) print "Checks passed"
return True def revoke_cert(crl_path, cert_to_revoke, ca_cert, ca_key, ssl_conf): # openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt # rhel5 needs -md sha1, it complains about the 'default_md' option in openssl config cmd = "openssl ca -revoke %s -keyfile %s -cert %s -config %s -md sha1" % (cert_to_revoke, ca_key, ca_cert, ssl_conf) if not run_command(cmd): return False # openssl ca -gencrl -config openssl.cnf -keyfile ./Pulp_CA.key -cert Pulp_CA.cert -out my_crl.pem cmd = "openssl ca -gencrl -keyfile %s -cert %s -out %s -config %s -crlexts crl_ext -md sha1" % (ca_key, ca_cert, crl_path, ssl_conf) if not run_command(cmd): return False return True if __name__ == "__main__": parser = get_parser(limit_options=["index", "crlnumber", "ssl_conf_template_crl", "ssl_conf_crl", "ca_key", "ca_cert", "crl"]) (opts, args) = parser.parse_args() index = opts.index crlnumber = opts.crlnumber ssl_conf_template_crl = opts.ssl_conf_template_crl ssl_conf_crl = opts.ssl_conf_crl ca_key = opts.ca_key ca_cert = opts.ca_cert crl = opts.crl if len(args) < 1: print "No certificate to revoke was given" print "Please re-run with certificate to revoke as command line argument" sys.exit(1)
if status: state, out, err = status cert_modulus = out key_modulus = "" cmd = "openssl rsa -noout -modulus -in %s " % (key) status = run_command(cmd) if status: state, out, err = status key_modulus = out if cert_modulus and key_modulus and cert_modulus == key_modulus: return True return False if __name__ == "__main__": parser = get_parser() opts, args = parser.parse_args() ent_key = opts.ent_key ent_cert = opts.ent_cert ca_key = opts.ca_key ca_cert = opts.ca_cert #Check the matching server/key. They should have the same modulus if not check_modulus(ca_key, ca_cert): print 'Error, modulus for "%s" and "%s" are different' % (ca_key, ca_cert) sys.exit(1) if not check_modulus(ent_key, ent_cert): print 'Error, modulus for "%s" and "%s" are different' % (ent_key, ent_cert)
# rhel5 needs -md sha1, it complains about the 'default_md' option in openssl config cmd = "openssl ca -revoke %s -keyfile %s -cert %s -config %s -md sha1" % ( cert_to_revoke, ca_key, ca_cert, ssl_conf) if not run_command(cmd): return False # openssl ca -gencrl -config openssl.cnf -keyfile ./Pulp_CA.key -cert Pulp_CA.cert -out my_crl.pem cmd = "openssl ca -gencrl -keyfile %s -cert %s -out %s -config %s -crlexts crl_ext -md sha1" % ( ca_key, ca_cert, crl_path, ssl_conf) if not run_command(cmd): return False return True if __name__ == "__main__": parser = get_parser(limit_options=[ "index", "crlnumber", "ssl_conf_template_crl", "ssl_conf_crl", "ca_key", "ca_cert", "crl" ]) (opts, args) = parser.parse_args() index = opts.index crlnumber = opts.crlnumber ssl_conf_template_crl = opts.ssl_conf_template_crl ssl_conf_crl = opts.ssl_conf_crl ca_key = opts.ca_key ca_cert = opts.ca_cert crl = opts.crl if len(args) < 1: print "No certificate to revoke was given" print "Please re-run with certificate to revoke as command line argument" sys.exit(1)
return run_command(cmd) def create_serial(ca_serial): if not os.path.exists(os.path.dirname(ca_serial)): os.makedirs(os.path.dirname(ca_serial)) f = open(ca_serial, "w") try: f.write("01") finally: f.close() return True if __name__ == "__main__": parser = get_parser(limit_options=["ca_key", "ca_cert", "ca_serial"]) (opts, args) = parser.parse_args() ca_key = opts.ca_key ca_cert = opts.ca_cert ca_serial = opts.ca_serial if not create_ca_key(ca_key): print "Failed to create CA key" sys.exit(1) if not create_ca_cert(ca_key, ca_cert): print "Failed to create CA cert" sys.exit(1) if not create_serial(ca_serial):
repos[repo_id] = {"id":repo_id} for item,value in config.items(repo_id): repos[repo_id][item] = value return repos def create_test_repo(repo_id, repo_feed, ca_cert, client_cert, client_key): cmd = "sudo pulp-admin repo create --id %s --feed %s --consumer_ca %s --consumer_cert %s --consumer_key %s" % \ (repo_id, repo_feed, ca_cert, client_cert, client_key) return run_command(cmd) def sync_test_repo(repo_id): cmd = "sudo pulp-admin repo sync --id %s -F" % (repo["id"]) return run_command(cmd) if __name__ == "__main__": parser = get_parser(description="Creat test repos", limit_options=['ca_cert', 'client_key', 'client_cert']) (opts, args) = parser.parse_args() client_key = opts.client_key client_cert = opts.client_cert ca_cert = opts.ca_cert repos = get_repo_info() for repo in repos.values(): if not create_test_repo(repo["id"], repo["feed"], ca_cert, client_cert, client_key): print "Failed to create repo <%s> with feed <%s>" % (repo["id"], repo["feed"]) sys.exit(1) if not sync_test_repo(repo["id"]): print "Failed to sync repo <%s>" % (repo["id"]) sys.exit(1)