def enroll(self): request = CertificateRequest(common_name=self.common_name, key_password=self.privatekey_passphrase, origin="Red Hat Ansible") zone_config = self.conn.read_zone_conf(self.zone) request.update_from_zone_config(zone_config) use_existed_key = False if self._check_private_key_correct() and not self.privatekey_reuse: private_key = to_text(open(self.privatekey_filename, "rb").read()) request.private_key = private_key use_existed_key = True elif self.privatekey_type: key_type = {"RSA": "rsa", "ECDSA": "ec", "EC": "ec"}. \ get(self.privatekey_type) if not key_type: self.module.fail_json(msg=("Failed to determine key type: %s." "Must be RSA or ECDSA" % self.privatekey_type)) if key_type == "rsa": request.key_type = KeyType(KeyType.RSA, self.privatekey_size) elif key_type == "ecdsa" or "ec": request.key_type = KeyType(KeyType.ECDSA, self.privatekey_curve) else: self.module.fail_json(msg=("Failed to determine key type: %s." "Must be RSA or ECDSA" % self.privatekey_type)) request.ip_addresses = self.ip_addresses request.san_dns = self.san_dns request.email_addresses = self.email_addresses request.chain_option = self.module.params['chain_option'] try: csr = open(self.csr_path, "rb").read() request.csr = csr except Exception as e: self.module.log(msg=str(e)) pass self.conn.request_cert(request, self.zone) print(request.csr) while True: cert = self.conn.retrieve_cert(request) # vcert.Certificate if cert: break else: time.sleep(5) if self.chain_filename: self._atomic_write(self.chain_filename, "\n".join(cert.chain)) self._atomic_write(self.certificate_filename, cert.cert) else: self._atomic_write(self.certificate_filename, cert.full_chain) if not use_existed_key: self._atomic_write(self.privatekey_filename, request.private_key_pem)
def enroll(self): request = CertificateRequest( common_name=self.common_name, key_password=self.privatekey_passphrase, ) use_existed_key = False if self._check_private_key_correct(): # May be None private_key = to_text(open(self.privatekey_filename, "rb").read()) request.private_key = private_key use_existed_key = True elif self.privatekey_type: key_type = { "RSA": "rsa", "ECDSA": "ec", "EC": "ec" }.get(self.privatekey_type) if not key_type: self.module.fail_json( msg="Failed to determine key type: {0}. Must be RSA or ECDSA" .format(self.privatekey_type)) request.key_type = key_type request.key_curve = self.privatekey_curve request.key_length = self.privatekey_size request.ip_addresses = self.ip_addresses request.san_dns = self.san_dns request.email_addresses = self.email_addresses request.chain_option = self.module.params['chain_option'] try: csr = open(self.csr_path, "rb").read() request.csr = csr except Exception as e: self.module.log(msg=str(e)) pass self.conn.request_cert(request, self.zone) print(request.csr) while True: cert = self.conn.retrieve_cert(request) # vcert.Certificate if cert: break else: time.sleep(5) if self.chain_filename: self._atomic_write(self.chain_filename, "\n".join(cert.chain)) self._atomic_write(self.certificate_filename, cert.cert) else: self._atomic_write(self.certificate_filename, cert.full_chain) if not use_existed_key: self._atomic_write(self.privatekey_filename, request.private_key_pem)
def enroll(conn, zone, cn=None, private_key=None, public_key=None, password=None, csr=None, custom_fields=None, service_generated_csr=False): request = CertificateRequest(common_name=cn, private_key=private_key, key_password=password) if custom_fields: request.custom_fields = custom_fields request.san_dns = [ "www.client.venafi.example.com", "ww1.client.venafi.example.com" ] if isinstance(conn, (FakeConnection, TPPConnection, TPPTokenConnection)): request.email_addresses = [ "*****@*****.**", "*****@*****.**" ] request.ip_addresses = ["127.0.0.1", "192.168.1.1"] request.user_principal_names = [ "*****@*****.**", "*****@*****.**" ] request.uniform_resource_identifiers = [ "https://www.venafi.com", "https://venafi.cloud" ] if csr: request.csr = csr elif service_generated_csr: request.csr_origin = CSR_ORIGIN_SERVICE request.include_private_key = True conn.request_cert(request, zone) cert = conn.retrieve_cert(request) with open("./cert.pem", "w") as f: f.write(cert.full_chain) with open("./cert.key", "w") as f2: if request.include_private_key: assert cert.key is not None f2.write(cert.key) else: f2.write(request.private_key_pem) cert = x509.load_pem_x509_certificate(cert.cert.encode(), default_backend()) assert isinstance(cert, x509.Certificate) t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) t2 = [x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)] assert t1 == t2 cert_public_key_pem = cert.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode() if isinstance(public_key, string_types): public_key = public_key.encode() if public_key: source_public_key_pem = serialization.load_pem_public_key( public_key, default_backend()).public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode( ) else: source_public_key_pem = request.public_key_pem if not service_generated_csr else None print(source_public_key_pem) print(cert_public_key_pem) if not service_generated_csr: assert source_public_key_pem == cert_public_key_pem private_key_pem = request.private_key_pem if not service_generated_csr else None return request.id, private_key_pem, cert, cert_public_key_pem, request.cert_guid
def enroll(conn, zone, cn=None, private_key=None, public_key=None, password=None, csr=None): request = CertificateRequest(common_name=cn, private_key=private_key, key_password=password) request.san_dns = [ "www.client.venafi.example.com", "ww1.client.venafi.example.com" ] if isinstance(conn, (FakeConnection, TPPConnection, TPPTokenConnection)): request.email_addresses = [ "*****@*****.**", "*****@*****.**" ] request.ip_addresses = ["127.0.0.1", "192.168.1.1"] request.user_principal_names = [ "*****@*****.**", "*****@*****.**" ] request.uniform_resource_identifiers = [ "https://www.venafi.com", "https://venafi.cloud" ] if csr: request.csr = csr conn.request_cert(request, zone) t = time.time() while time.time() - t < 300: cert = conn.retrieve_cert(request) if cert: break else: time.sleep(5) # print("Certificate is:\n %s" % cert_pem) # print("Private key is:\n %s:" % request.private_key_pem) # and save into file f = open("./cert.pem", "w") f.write(cert.full_chain) f = open("./cert.key", "w") f.write(request.private_key_pem) f.close() cert = x509.load_pem_x509_certificate(cert.cert.encode(), default_backend()) assert isinstance(cert, x509.Certificate) t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) t2 = [x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)] assert t1 == t2 cert_public_key_pem = cert.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode() if isinstance(public_key, string_types): public_key = public_key.encode() if public_key: source_public_key_pem = serialization.load_pem_public_key( public_key, default_backend()).public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode( ) else: source_public_key_pem = request.public_key_pem print(source_public_key_pem) print(cert_public_key_pem) assert source_public_key_pem == cert_public_key_pem return request.id, request.private_key_pem, cert, cert_public_key_pem
def enroll(conn, zone, cn=None, private_key=None, public_key=None, password=None, csr=None): print("Trying to ping service") status = conn.ping() print("Server online:", status) if not status: print('Server offline') exit(1) request = CertificateRequest(common_name=cn, private_key=private_key, key_password=password) if isinstance(conn, (FakeConnection or TPPConnection)): request.san_dns = [ "www.client.venafi.example.com", "ww1.client.venafi.example.com" ] request.email_addresses = [ "*****@*****.**", "*****@*****.**" ] request.ip_addresses = ["127.0.0.1", "192.168.1.1"] if csr: request.csr = csr conn.request_cert(request, zone) while True: cert = conn.retrieve_cert(request) if cert: break else: time.sleep(5) # print("Certificate is:\n %s" % cert_pem) # print("Private key is:\n %s:" % request.private_key_pem) # and save into file f = open("./cert.pem", "w") f.write(cert.full_chain) f = open("./cert.key", "w") f.write(request.private_key_pem) f.close() cert = x509.load_pem_x509_certificate(cert.cert.encode(), default_backend()) assert isinstance(cert, x509.Certificate) assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN) ] cert_public_key_pem = cert.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode() if isinstance(public_key, string_types): public_key = public_key.encode() if public_key: source_public_key_pem = serialization.load_pem_public_key( public_key, default_backend()).public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode( ) else: source_public_key_pem = request.public_key_pem print(source_public_key_pem) print(cert_public_key_pem) assert source_public_key_pem == cert_public_key_pem return request.id, request.private_key_pem, cert.serial_number
# Pipe our CSR to OpenSSL to verify it with subprocess.Popen( ('/bin/openssl', 'req', '-inform', 'der', '-noout', '-verify'), stdin=subprocess.PIPE, stdout=subprocess.DEVNULL) as proc: proc.stdin.write(csr.dump()) proc.stdin.close() user = environ.get('TPPUSER') password = environ.get('TPPPASSWORD') url = environ.get('TPPURL') zone = environ.get("ZONE") conn = Connection(url=url, user=user, password=password, http_request_kwargs={"verify": False}) request = CertificateRequest(common_name=cn) request.csr = certpem conn.request_cert(request, zone) # and wait for signing while True: cert = conn.retrieve_cert(request) if cert: break else: time.sleep(5) # after that print cert and key print(cert.full_chain, sep="\n")