def enroll(self, csr): """ enroll certificate from via MS certsrv """ self.logger.debug('CAhandler.enroll()') cert_bundle = None error = None cert_raw = None if self.host and self.user and self.password and self.template: # setup certserv ca_server = Certsrv(self.host, self.user, self.password, self.auth_method, self.ca_bundle) # check connection and credentials auth_check = ca_server.check_credentials() if auth_check: # recode csr csr = textwrap.fill(b64_url_recode(self.logger, csr), 64) + '\n' # get ca_chain ca_pem = ca_server.get_chain(encoding='b64') cert_raw = ca_server.get_cert(csr, self.template) if cert_raw: cert_bundle = cert_raw + ca_pem cert_raw = cert_raw.replace( '-----BEGIN CERTIFICATE-----\n', '') cert_raw = cert_raw.replace('-----END CERTIFICATE-----\n', '') cert_raw = cert_raw.replace('\n', '') else: error = 'Enrollment failed' else: error = 'Connection or Credentialcheck failed.' else: error = 'Config incomplete' self.logger.debug('Certificate.enroll() ended') return (error, cert_bundle, cert_raw)
def install_msca_signed(self, ca_server: str, ca_user: str, ca_pass: str): # Create folder date = datetime.now().strftime('%Y%m%d%H%M%S') cert_dir = self.output_folder / date if not cert_dir.exists(): cert_dir.mkdir(parents=True) # File names cert_cfg_file = 'rui.cfg' cert_key_file = 'rui.key' cert_csr_file = 'rui.csr' cert_crt_file = 'rui.crt' cert_chain_file = 'rui-chain.crt' cert_crt_bak_file = 'rui.crt.bak' cert_key_bak_file = 'rui.key.bak' ca_crt_file = '../ca.crt' # Create local paths local_cfg = cert_dir / cert_cfg_file local_csr = cert_dir / cert_csr_file local_key = cert_dir / cert_key_file local_crt = cert_dir / cert_crt_file local_chain = cert_dir / cert_chain_file local_crt_bak = cert_dir / cert_crt_bak_file local_key_bak = cert_dir / cert_key_bak_file local_ca_crt = cert_dir / ca_crt_file # Remote temporary files remote_cfg = str(self.remote_tmp / cert_cfg_file) remote_csr = str(self.remote_tmp / cert_csr_file) remote_crt = str(self.remote_tmp / cert_crt_file) remote_chain = str(self.remote_tmp / cert_chain_file) remote_key = str(self.remote_tmp / cert_key_file) remote_ca_crt = str(self.remote_tmp / ca_crt_file) # Get the Microsoft Certificate Authority file ca_crt = get_msca_root_cert(hostname=ca_server, username=ca_user, password=ca_pass) local_ca_crt.write_bytes(ca_crt.public_bytes(encoding=serialization.Encoding.PEM)) # Connect to Microsoft Certificate Authority cert_srv = Certsrv(server=ca_server, username=ca_user, password=ca_pass, cafile=str(local_ca_crt)) cert_srv.check_credentials() self.connection.put(local=local_ca_crt, remote=remote_ca_crt) # Create host cfg config = create_cert_config(host=self.esx_server) local_cfg.write_text(config) self.connection.put(local=local_cfg, remote=remote_cfg) # Create certificate request cmd = f'openssl req -new -nodes -out {remote_csr} -keyout {remote_key} -config {remote_cfg}' result = self.connection.run(f"{cmd}", pty=True, hide=True) self.connection.get(local=local_csr, remote=remote_csr) self.connection.get(local=local_key, remote=remote_key) # Get signed certificate csr_bytes = local_csr.read_bytes() crt_bytes = cert_srv.get_cert(csr_bytes, 'WebServer') local_crt.write_bytes(crt_bytes) self.connection.put(local=local_crt, remote=remote_crt) # Create certificate chain cmd = f'cat {remote_crt} {remote_ca_crt} > {remote_chain}' result = self.connection.run(f'{cmd}', pty=True, hide=True) self.connection.get(local=local_chain, remote=remote_chain) # Backup current crt and key self.connection.get(local=local_crt_bak, remote=self.esx_crt) self.connection.get(local=local_key_bak, remote=self.esx_key) # Deploy new crt and key self.connection.put(local=local_chain, remote=self.esx_crt) self.connection.put(local=local_key, remote=self.esx_key) # Reboot host self.__reboot()