def renew_external_step_1(self, ca):
print("Exporting CA certificate signing request, please wait")
options = self.options
if not options.external_ca_type:
options.external_ca_type = x509.ExternalCAType.GENERIC.value
if options.external_ca_type == x509.ExternalCAType.MS_CS.value \
and options.external_ca_profile is None:
options.external_ca_profile = x509.MSCSTemplateV1(u"SubCA")
if options.external_ca_profile is not None:
# check that profile is valid for the external ca type
if options.external_ca_type \
not in options.external_ca_profile.valid_for:
raise admintool.ScriptError(
"External CA profile specification '{}' "
"cannot be used with external CA type '{}'."
.format(
options.external_ca_profile.unparsed_input,
options.external_ca_type)
)
self.resubmit_request(
RENEWAL_REUSE_CA_NAME,
profile=options.external_ca_profile)
print(("The next step is to get %s signed by your CA and re-run "
"ipa-cacert-manage as:" % paths.IPA_CA_CSR))
print("ipa-cacert-manage renew "
"--external-cert-file=/path/to/signed_certificate "
"--external-cert-file=/path/to/external_ca_certificate")
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(
self.master, extra_args=['--external-ca-type=ms-cs'])
assert result.returncode == 0
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = tasks.ldapsearch_dm(
self.master,
'cn=mapping tree,cn=config',
['(cn=replica)'],
)
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_write_pkispawn_config_file_MSCSTemplateV1(self):
template = x509.MSCSTemplateV1(u"SubCA")
expected = ('[CA]\n'
'pki_req_ext_oid = 1.3.6.1.4.1.311.20.2\n'
'pki_req_ext_data = 1e0a00530075006200430041\n\n')
self._test_write_pkispawn_config_file(template, expected)
def test_MSCSTemplateV1_pickle_roundtrip(self):
o = x509.MSCSTemplateV1("MySubCA")
s = pickle.dumps(o)
assert o.get_ext_data() == pickle.loads(s).get_ext_data()
def test_MSCSTemplateV1_bad(self):
with pytest.raises(ValueError):
x509.MSCSTemplateV1("MySubCA:1")
def test_MSCSTemplateV1_good(self):
o = x509.MSCSTemplateV1("MySubCA")
assert hexlify(o.get_ext_data()) == b'1e0e004d007900530075006200430041'
