def enroll(self, csr):
""" enroll certificate from via MS certsrv """
self.logger.debug('CAhandler.enroll()')
cert_bundle = None
error = None
cert_raw = None
if self.host and self.user and self.password and self.template:
# setup certserv
ca_server = Certsrv(self.host, self.user, self.password,
self.auth_method, self.ca_bundle)
# check connection and credentials
auth_check = ca_server.check_credentials()
if auth_check:
# recode csr
csr = textwrap.fill(b64_url_recode(self.logger, csr),
64) + '\n'
# get ca_chain
ca_pem = ca_server.get_chain(encoding='b64')
cert_raw = ca_server.get_cert(csr, self.template)
if cert_raw:
cert_bundle = cert_raw + ca_pem
cert_raw = cert_raw.replace(
'-----BEGIN CERTIFICATE-----\n', '')
cert_raw = cert_raw.replace('-----END CERTIFICATE-----\n',
'')
cert_raw = cert_raw.replace('\n', '')
else:
error = 'Enrollment failed'
else:
error = 'Connection or Credentialcheck failed.'
else:
error = 'Config incomplete'
self.logger.debug('Certificate.enroll() ended')
return (error, cert_bundle, cert_raw)
def install_msca_signed(self, ca_server: str, ca_user: str, ca_pass: str):
# Create folder
date = datetime.now().strftime('%Y%m%d%H%M%S')
cert_dir = self.output_folder / date
if not cert_dir.exists():
cert_dir.mkdir(parents=True)
# File names
cert_cfg_file = 'rui.cfg'
cert_key_file = 'rui.key'
cert_csr_file = 'rui.csr'
cert_crt_file = 'rui.crt'
cert_chain_file = 'rui-chain.crt'
cert_crt_bak_file = 'rui.crt.bak'
cert_key_bak_file = 'rui.key.bak'
ca_crt_file = '../ca.crt'
# Create local paths
local_cfg = cert_dir / cert_cfg_file
local_csr = cert_dir / cert_csr_file
local_key = cert_dir / cert_key_file
local_crt = cert_dir / cert_crt_file
local_chain = cert_dir / cert_chain_file
local_crt_bak = cert_dir / cert_crt_bak_file
local_key_bak = cert_dir / cert_key_bak_file
local_ca_crt = cert_dir / ca_crt_file
# Remote temporary files
remote_cfg = str(self.remote_tmp / cert_cfg_file)
remote_csr = str(self.remote_tmp / cert_csr_file)
remote_crt = str(self.remote_tmp / cert_crt_file)
remote_chain = str(self.remote_tmp / cert_chain_file)
remote_key = str(self.remote_tmp / cert_key_file)
remote_ca_crt = str(self.remote_tmp / ca_crt_file)
# Get the Microsoft Certificate Authority file
ca_crt = get_msca_root_cert(hostname=ca_server, username=ca_user, password=ca_pass)
local_ca_crt.write_bytes(ca_crt.public_bytes(encoding=serialization.Encoding.PEM))
# Connect to Microsoft Certificate Authority
cert_srv = Certsrv(server=ca_server, username=ca_user, password=ca_pass, cafile=str(local_ca_crt))
cert_srv.check_credentials()
self.connection.put(local=local_ca_crt, remote=remote_ca_crt)
# Create host cfg
config = create_cert_config(host=self.esx_server)
local_cfg.write_text(config)
self.connection.put(local=local_cfg, remote=remote_cfg)
# Create certificate request
cmd = f'openssl req -new -nodes -out {remote_csr} -keyout {remote_key} -config {remote_cfg}'
result = self.connection.run(f"{cmd}", pty=True, hide=True)
self.connection.get(local=local_csr, remote=remote_csr)
self.connection.get(local=local_key, remote=remote_key)
# Get signed certificate
csr_bytes = local_csr.read_bytes()
crt_bytes = cert_srv.get_cert(csr_bytes, 'WebServer')
local_crt.write_bytes(crt_bytes)
self.connection.put(local=local_crt, remote=remote_crt)
# Create certificate chain
cmd = f'cat {remote_crt} {remote_ca_crt} > {remote_chain}'
result = self.connection.run(f'{cmd}', pty=True, hide=True)
self.connection.get(local=local_chain, remote=remote_chain)
# Backup current crt and key
self.connection.get(local=local_crt_bak, remote=self.esx_crt)
self.connection.get(local=local_key_bak, remote=self.esx_key)
# Deploy new crt and key
self.connection.put(local=local_chain, remote=self.esx_crt)
self.connection.put(local=local_key, remote=self.esx_key)
# Reboot host
self.__reboot()