def enroll(self):
request = CertificateRequest(common_name=self.common_name,
key_password=self.privatekey_passphrase,
origin="Red Hat Ansible")
zone_config = self.conn.read_zone_conf(self.zone)
request.update_from_zone_config(zone_config)
use_existed_key = False
if self._check_private_key_correct() and not self.privatekey_reuse:
private_key = to_text(open(self.privatekey_filename, "rb").read())
request.private_key = private_key
use_existed_key = True
elif self.privatekey_type:
key_type = {"RSA": "rsa", "ECDSA": "ec", "EC": "ec"}. \
get(self.privatekey_type)
if not key_type:
self.module.fail_json(msg=("Failed to determine key type: %s."
"Must be RSA or ECDSA" %
self.privatekey_type))
if key_type == "rsa":
request.key_type = KeyType(KeyType.RSA, self.privatekey_size)
elif key_type == "ecdsa" or "ec":
request.key_type = KeyType(KeyType.ECDSA,
self.privatekey_curve)
else:
self.module.fail_json(msg=("Failed to determine key type: %s."
"Must be RSA or ECDSA" %
self.privatekey_type))
request.ip_addresses = self.ip_addresses
request.san_dns = self.san_dns
request.email_addresses = self.email_addresses
request.chain_option = self.module.params['chain_option']
try:
csr = open(self.csr_path, "rb").read()
request.csr = csr
except Exception as e:
self.module.log(msg=str(e))
pass
self.conn.request_cert(request, self.zone)
print(request.csr)
while True:
cert = self.conn.retrieve_cert(request) # vcert.Certificate
if cert:
break
else:
time.sleep(5)
if self.chain_filename:
self._atomic_write(self.chain_filename, "\n".join(cert.chain))
self._atomic_write(self.certificate_filename, cert.cert)
else:
self._atomic_write(self.certificate_filename, cert.full_chain)
if not use_existed_key:
self._atomic_write(self.privatekey_filename,
request.private_key_pem)
def enroll(self):
request = CertificateRequest(
common_name=self.common_name,
key_password=self.privatekey_passphrase,
)
use_existed_key = False
if self._check_private_key_correct(): # May be None
private_key = to_text(open(self.privatekey_filename, "rb").read())
request.private_key = private_key
use_existed_key = True
elif self.privatekey_type:
key_type = {
"RSA": "rsa",
"ECDSA": "ec",
"EC": "ec"
}.get(self.privatekey_type)
if not key_type:
self.module.fail_json(
msg="Failed to determine key type: {0}. Must be RSA or ECDSA"
.format(self.privatekey_type))
request.key_type = key_type
request.key_curve = self.privatekey_curve
request.key_length = self.privatekey_size
request.ip_addresses = self.ip_addresses
request.san_dns = self.san_dns
request.email_addresses = self.email_addresses
request.chain_option = self.module.params['chain_option']
try:
csr = open(self.csr_path, "rb").read()
request.csr = csr
except Exception as e:
self.module.log(msg=str(e))
pass
self.conn.request_cert(request, self.zone)
print(request.csr)
while True:
cert = self.conn.retrieve_cert(request) # vcert.Certificate
if cert:
break
else:
time.sleep(5)
if self.chain_filename:
self._atomic_write(self.chain_filename, "\n".join(cert.chain))
self._atomic_write(self.certificate_filename, cert.cert)
else:
self._atomic_write(self.certificate_filename, cert.full_chain)
if not use_existed_key:
self._atomic_write(self.privatekey_filename,
request.private_key_pem)
def enroll(conn,
zone,
cn=None,
private_key=None,
public_key=None,
password=None,
csr=None,
custom_fields=None,
service_generated_csr=False):
request = CertificateRequest(common_name=cn,
private_key=private_key,
key_password=password)
if custom_fields:
request.custom_fields = custom_fields
request.san_dns = [
"www.client.venafi.example.com", "ww1.client.venafi.example.com"
]
if isinstance(conn, (FakeConnection, TPPConnection, TPPTokenConnection)):
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
request.user_principal_names = [
"*****@*****.**", "*****@*****.**"
]
request.uniform_resource_identifiers = [
"https://www.venafi.com", "https://venafi.cloud"
]
if csr:
request.csr = csr
elif service_generated_csr:
request.csr_origin = CSR_ORIGIN_SERVICE
request.include_private_key = True
conn.request_cert(request, zone)
cert = conn.retrieve_cert(request)
with open("./cert.pem", "w") as f:
f.write(cert.full_chain)
with open("./cert.key", "w") as f2:
if request.include_private_key:
assert cert.key is not None
f2.write(cert.key)
else:
f2.write(request.private_key_pem)
cert = x509.load_pem_x509_certificate(cert.cert.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
t2 = [x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)]
assert t1 == t2
cert_public_key_pem = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode()
if isinstance(public_key, string_types):
public_key = public_key.encode()
if public_key:
source_public_key_pem = serialization.load_pem_public_key(
public_key, default_backend()).public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode(
)
else:
source_public_key_pem = request.public_key_pem if not service_generated_csr else None
print(source_public_key_pem)
print(cert_public_key_pem)
if not service_generated_csr:
assert source_public_key_pem == cert_public_key_pem
private_key_pem = request.private_key_pem if not service_generated_csr else None
return request.id, private_key_pem, cert, cert_public_key_pem, request.cert_guid
def enroll(conn,
zone,
cn=None,
private_key=None,
public_key=None,
password=None,
csr=None):
request = CertificateRequest(common_name=cn,
private_key=private_key,
key_password=password)
request.san_dns = [
"www.client.venafi.example.com", "ww1.client.venafi.example.com"
]
if isinstance(conn, (FakeConnection, TPPConnection, TPPTokenConnection)):
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
request.user_principal_names = [
"*****@*****.**", "*****@*****.**"
]
request.uniform_resource_identifiers = [
"https://www.venafi.com", "https://venafi.cloud"
]
if csr:
request.csr = csr
conn.request_cert(request, zone)
t = time.time()
while time.time() - t < 300:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# print("Certificate is:\n %s" % cert_pem)
# print("Private key is:\n %s:" % request.private_key_pem)
# and save into file
f = open("./cert.pem", "w")
f.write(cert.full_chain)
f = open("./cert.key", "w")
f.write(request.private_key_pem)
f.close()
cert = x509.load_pem_x509_certificate(cert.cert.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
t2 = [x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)]
assert t1 == t2
cert_public_key_pem = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode()
if isinstance(public_key, string_types):
public_key = public_key.encode()
if public_key:
source_public_key_pem = serialization.load_pem_public_key(
public_key, default_backend()).public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode(
)
else:
source_public_key_pem = request.public_key_pem
print(source_public_key_pem)
print(cert_public_key_pem)
assert source_public_key_pem == cert_public_key_pem
return request.id, request.private_key_pem, cert, cert_public_key_pem
def enroll(conn,
zone,
cn=None,
private_key=None,
public_key=None,
password=None,
csr=None):
print("Trying to ping service")
status = conn.ping()
print("Server online:", status)
if not status:
print('Server offline')
exit(1)
request = CertificateRequest(common_name=cn,
private_key=private_key,
key_password=password)
if isinstance(conn, (FakeConnection or TPPConnection)):
request.san_dns = [
"www.client.venafi.example.com", "ww1.client.venafi.example.com"
]
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
if csr:
request.csr = csr
conn.request_cert(request, zone)
while True:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# print("Certificate is:\n %s" % cert_pem)
# print("Private key is:\n %s:" % request.private_key_pem)
# and save into file
f = open("./cert.pem", "w")
f.write(cert.full_chain)
f = open("./cert.key", "w")
f.write(request.private_key_pem)
f.close()
cert = x509.load_pem_x509_certificate(cert.cert.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)
]
cert_public_key_pem = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode()
if isinstance(public_key, string_types):
public_key = public_key.encode()
if public_key:
source_public_key_pem = serialization.load_pem_public_key(
public_key, default_backend()).public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode(
)
else:
source_public_key_pem = request.public_key_pem
print(source_public_key_pem)
print(cert_public_key_pem)
assert source_public_key_pem == cert_public_key_pem
return request.id, request.private_key_pem, cert.serial_number
# Pipe our CSR to OpenSSL to verify it
with subprocess.Popen(
('/bin/openssl', 'req', '-inform', 'der', '-noout', '-verify'),
stdin=subprocess.PIPE,
stdout=subprocess.DEVNULL) as proc:
proc.stdin.write(csr.dump())
proc.stdin.close()
user = environ.get('TPPUSER')
password = environ.get('TPPPASSWORD')
url = environ.get('TPPURL')
zone = environ.get("ZONE")
conn = Connection(url=url,
user=user,
password=password,
http_request_kwargs={"verify": False})
request = CertificateRequest(common_name=cn)
request.csr = certpem
conn.request_cert(request, zone)
# and wait for signing
while True:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain, sep="\n")
