示例#1
0
    def enroll(self, csr):
        """ enroll certificate from via MS certsrv """
        self.logger.debug('CAhandler.enroll()')
        cert_bundle = None
        error = None
        cert_raw = None

        if self.host and self.user and self.password and self.template:
            # setup certserv
            ca_server = Certsrv(self.host, self.user, self.password,
                                self.auth_method, self.ca_bundle)

            # check connection and credentials
            auth_check = ca_server.check_credentials()
            if auth_check:
                # recode csr
                csr = textwrap.fill(b64_url_recode(self.logger, csr),
                                    64) + '\n'

                # get ca_chain
                ca_pem = ca_server.get_chain(encoding='b64')
                cert_raw = ca_server.get_cert(csr, self.template)
                if cert_raw:
                    cert_bundle = cert_raw + ca_pem
                    cert_raw = cert_raw.replace(
                        '-----BEGIN CERTIFICATE-----\n', '')
                    cert_raw = cert_raw.replace('-----END CERTIFICATE-----\n',
                                                '')
                    cert_raw = cert_raw.replace('\n', '')
                else:
                    error = 'Enrollment failed'
            else:
                error = 'Connection or Credentialcheck failed.'
        else:
            error = 'Config incomplete'

        self.logger.debug('Certificate.enroll() ended')
        return (error, cert_bundle, cert_raw)
示例#2
0
    def install_msca_signed(self, ca_server: str, ca_user: str, ca_pass: str):

        # Create folder
        date = datetime.now().strftime('%Y%m%d%H%M%S')
        cert_dir = self.output_folder / date
        if not cert_dir.exists():
            cert_dir.mkdir(parents=True)

        # File names
        cert_cfg_file = 'rui.cfg'
        cert_key_file = 'rui.key'
        cert_csr_file = 'rui.csr'
        cert_crt_file = 'rui.crt'
        cert_chain_file = 'rui-chain.crt'
        cert_crt_bak_file = 'rui.crt.bak'
        cert_key_bak_file = 'rui.key.bak'
        ca_crt_file = '../ca.crt'

        # Create local paths
        local_cfg = cert_dir / cert_cfg_file
        local_csr = cert_dir / cert_csr_file
        local_key = cert_dir / cert_key_file
        local_crt = cert_dir / cert_crt_file
        local_chain = cert_dir / cert_chain_file
        local_crt_bak = cert_dir / cert_crt_bak_file
        local_key_bak = cert_dir / cert_key_bak_file
        local_ca_crt = cert_dir / ca_crt_file

        # Remote temporary files
        remote_cfg = str(self.remote_tmp / cert_cfg_file)
        remote_csr = str(self.remote_tmp / cert_csr_file)
        remote_crt = str(self.remote_tmp / cert_crt_file)
        remote_chain = str(self.remote_tmp / cert_chain_file)
        remote_key = str(self.remote_tmp / cert_key_file)
        remote_ca_crt = str(self.remote_tmp / ca_crt_file)

        # Get the Microsoft Certificate Authority file
        ca_crt = get_msca_root_cert(hostname=ca_server, username=ca_user, password=ca_pass)
        local_ca_crt.write_bytes(ca_crt.public_bytes(encoding=serialization.Encoding.PEM))

        # Connect to Microsoft Certificate Authority
        cert_srv = Certsrv(server=ca_server, username=ca_user, password=ca_pass, cafile=str(local_ca_crt))
        cert_srv.check_credentials()
        self.connection.put(local=local_ca_crt, remote=remote_ca_crt)

        # Create host cfg
        config = create_cert_config(host=self.esx_server)
        local_cfg.write_text(config)
        self.connection.put(local=local_cfg, remote=remote_cfg)

        # Create certificate request
        cmd = f'openssl req -new -nodes -out {remote_csr} -keyout {remote_key} -config {remote_cfg}'
        result = self.connection.run(f"{cmd}", pty=True, hide=True)
        self.connection.get(local=local_csr, remote=remote_csr)
        self.connection.get(local=local_key, remote=remote_key)

        # Get signed certificate
        csr_bytes = local_csr.read_bytes()
        crt_bytes = cert_srv.get_cert(csr_bytes, 'WebServer')
        local_crt.write_bytes(crt_bytes)
        self.connection.put(local=local_crt, remote=remote_crt)

        # Create certificate chain
        cmd = f'cat {remote_crt} {remote_ca_crt} > {remote_chain}'
        result = self.connection.run(f'{cmd}', pty=True, hide=True)
        self.connection.get(local=local_chain, remote=remote_chain)

        # Backup current crt and key
        self.connection.get(local=local_crt_bak, remote=self.esx_crt)
        self.connection.get(local=local_key_bak, remote=self.esx_key)

        # Deploy new crt and key
        self.connection.put(local=local_chain, remote=self.esx_crt)
        self.connection.put(local=local_key, remote=self.esx_key)

        # Reboot host
        self.__reboot()