def renew_external_step_1(self, ca): print("Exporting CA certificate signing request, please wait") options = self.options if not options.external_ca_type: options.external_ca_type = x509.ExternalCAType.GENERIC.value if options.external_ca_type == x509.ExternalCAType.MS_CS.value \ and options.external_ca_profile is None: options.external_ca_profile = x509.MSCSTemplateV1(u"SubCA") if options.external_ca_profile is not None: # check that profile is valid for the external ca type if options.external_ca_type \ not in options.external_ca_profile.valid_for: raise admintool.ScriptError( "External CA profile specification '{}' " "cannot be used with external CA type '{}'." .format( options.external_ca_profile.unparsed_input, options.external_ca_type) ) self.resubmit_request( RENEWAL_REUSE_CA_NAME, profile=options.external_ca_profile) print(("The next step is to get %s signed by your CA and re-run " "ipa-cacert-manage as:" % paths.IPA_CA_CSR)) print("ipa-cacert-manage renew " "--external-cert-file=/path/to/signed_certificate " "--external-cert-file=/path/to/external_ca_certificate")
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs']) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_write_pkispawn_config_file_MSCSTemplateV1(self): template = x509.MSCSTemplateV1(u"SubCA") expected = ('[CA]\n' 'pki_req_ext_oid = 1.3.6.1.4.1.311.20.2\n' 'pki_req_ext_data = 1e0a00530075006200430041\n\n') self._test_write_pkispawn_config_file(template, expected)
def test_MSCSTemplateV1_pickle_roundtrip(self): o = x509.MSCSTemplateV1("MySubCA") s = pickle.dumps(o) assert o.get_ext_data() == pickle.loads(s).get_ext_data()
def test_MSCSTemplateV1_bad(self): with pytest.raises(ValueError): x509.MSCSTemplateV1("MySubCA:1")
def test_MSCSTemplateV1_good(self): o = x509.MSCSTemplateV1("MySubCA") assert hexlify(o.get_ext_data()) == b'1e0e004d007900530075006200430041'