def temp_cert_create(self, nssdb, tmpdir, cert_tag, serial, new_cert_file): """ Generates temp cert with validity of 3 months by default **Note**: Currently, supports only *sslserver* cert :param nssdb: NSS db instance :type nssdb: NSSDatabase :param tmpdir: Path to temp dir to write cert's csr and ca's cert file :type tmpdir: str :param cert_tag: Cert for which temp cert needs to be created :type cert_tag: str :param serial: Serial number to be assigned to new cert :type serial: str :param new_cert_file: Path where the new temp cert needs to be written to :type new_cert_file: str :return: None :rtype: None """ logger.info('Generate temp SSL certificate') if cert_tag != 'sslserver': raise pki.server.PKIServerException( 'Temp cert for %s is not supported yet.' % cert_tag) ca_signing_cert, aki, csr_file = \ self.setup_temp_renewal(tmpdir=tmpdir, cert_tag=cert_tag) # --keyUsage key_usage_ext = { 'digitalSignature': True, 'nonRepudiation': True, 'keyEncipherment': True, 'dataEncipherment': True, 'critical': True } # -3 aki_ext = { 'auth_key_id': aki } # --extKeyUsage ext_key_usage_ext = { 'serverAuth': True } logger.debug('Creating temp cert') rc = nssdb.create_cert( issuer=ca_signing_cert['nickname'], request_file=csr_file, cert_file=new_cert_file, serial=serial, key_usage_ext=key_usage_ext, aki_ext=aki_ext, ext_key_usage_ext=ext_key_usage_ext) if rc: raise pki.server.PKIServerException( 'Failed to generate CA-signed temp SSL certificate. RC: %d' % rc)
def temp_cert_create(self, nssdb, tmpdir, cert_tag, serial, new_cert_file): """ Generates temp cert with validity of 3 months by default **Note**: Currently, supports only *sslserver* cert :param nssdb: NSS db instance :type nssdb: NSSDatabase :param tmpdir: Path to temp dir to write cert's csr and ca's cert file :type tmpdir: str :param cert_tag: Cert for which temp cert needs to be created :type cert_tag: str :param serial: Serial number to be assigned to new cert :type serial: str :param new_cert_file: Path where the new temp cert needs to be written to :type new_cert_file: str :return: None :rtype: None """ logger.info('Generate temp SSL certificate') if cert_tag != 'sslserver': raise PKIServerException('Temp cert for %s is not supported yet.' % cert_tag) ca_signing_cert, aki, csr_file = \ self.setup_temp_renewal(tmpdir=tmpdir, cert_tag=cert_tag) # --keyUsage key_usage_ext = { 'digitalSignature': True, 'nonRepudiation': True, 'keyEncipherment': True, 'dataEncipherment': True, 'critical': True } # -3 aki_ext = { 'auth_key_id': aki } # --extKeyUsage ext_key_usage_ext = { 'serverAuth': True } logger.debug('Creating temp cert') rc = nssdb.create_cert( issuer=ca_signing_cert['nickname'], request_file=csr_file, cert_file=new_cert_file, serial=serial, key_usage_ext=key_usage_ext, aki_ext=aki_ext, ext_key_usage_ext=ext_key_usage_ext) if rc: raise PKIServerException('Failed to generate CA-signed temp SSL ' 'certificate. RC: %d' % rc)
def create_ssl_cert(self, instance, subsystem, serial, is_temp_cert, tmpdir, new_cert_file, nssdb, connection): if self.verbose: print('Creating SSL server certificate.') if is_temp_cert: # Generate temp SSL Certificate signed by CA ca_signing_cert, aki, csr_file = self.setup_temp_renewal( instance=instance, subsystem=subsystem, tmpdir=tmpdir, cert_id='sslserver') # --keyUsage key_usage_ext = { 'digitalSignature': True, 'nonRepudiation': True, 'keyEncipherment': True, 'dataEncipherment': True, 'critical': True } # -3 aki_ext = {'auth_key_id': aki} # --extKeyUsage ext_key_usage_ext = {'serverAuth': True} rc = nssdb.create_cert(issuer=ca_signing_cert['nickname'], request_file=csr_file, cert_file=new_cert_file, serial=serial, key_usage_ext=key_usage_ext, aki_ext=aki_ext, ext_key_usage_ext=ext_key_usage_ext) if rc: raise Exception( 'Failed to generate CA-signed temp SSL certificate. ' 'RC: %d' % rc) else: if not serial: # If serial number is not provided, get Serial Number from NSS db serial = subsystem.get_subsystem_cert( 'sslserver')["serial_number"] if self.verbose: print('Renewing for certificate with serial number: %s' % serial) self.renew_system_certificate(connection=connection, output=new_cert_file, serial=serial)
def create_temp_sslserver_cert(self, deployer, instance): if len(deployer.instance.tomcat_instance_subsystems()) > 1: return False nickname = deployer.mdict['pki_sslserver_nickname'] instance.set_sslserver_cert_nickname(nickname) tmpdir = tempfile.mkdtemp() nssdb = instance.open_nssdb() try: logger.info('Checking existing SSL server cert: %s', nickname) pem_cert = nssdb.get_cert(nickname=nickname) if pem_cert: cert = x509.load_pem_x509_certificate(pem_cert, default_backend()) cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0] hostname = cn.value logger.info('Existing SSL server cert is for %s', hostname) # if hostname is correct, don't create temp cert if hostname == deployer.mdict['pki_hostname']: return False logger.info('Removing SSL server cert for %s', hostname) nssdb.remove_cert( nickname=nickname, remove_key=True) logger.info('Creating temp SSL server cert for %s', deployer.mdict['pki_hostname']) # TODO: replace with pki-server create-cert sslserver --temp # NOTE: ALWAYS create the temporary sslserver certificate # in the software DB regardless of whether the # instance will utilize 'softokn' or an HSM csr_file = os.path.join(tmpdir, 'sslserver.csr') cert_file = os.path.join(tmpdir, 'sslserver.crt') nssdb.create_request( subject_dn=deployer.mdict['pki_self_signed_subject'], request_file=csr_file, token=deployer.mdict['pki_self_signed_token'], key_type=deployer.mdict['pki_sslserver_key_type'], key_size=deployer.mdict['pki_sslserver_key_size'] ) nssdb.create_cert( request_file=csr_file, cert_file=cert_file, serial=deployer.mdict['pki_self_signed_serial_number'], validity=deployer.mdict['pki_self_signed_validity_period'] ) nssdb.add_cert( nickname=nickname, cert_file=cert_file, token=deployer.mdict['pki_self_signed_token'], trust_attributes=deployer.mdict['pki_self_signed_trustargs'] ) return True finally: nssdb.close() shutil.rmtree(tmpdir)