diff --git a/.github/workflows/ca-existing-hsm-test.yml b/.github/workflows/ca-existing-hsm-test.yml index 9ee9ff0c718..7a3a1079a9c 100644 --- a/.github/workflows/ca-existing-hsm-test.yml +++ b/.github/workflows/ca-existing-hsm-test.yml @@ -84,14 +84,8 @@ jobs: --token HSM \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ - --trust CT,C,C \ ca_signing # check original cert @@ -124,13 +118,8 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ ca_ocsp_signing # check original cert @@ -163,14 +152,8 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ - --trust ,,P \ ca_audit_signing # check original cert @@ -203,13 +186,8 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ subsystem # check original cert @@ -241,13 +219,7 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ - sslserver + docker exec pki pki-server cert-import sslserver # check original cert docker exec pki runuser -u pkiuser -- \ diff --git a/.github/workflows/ca-existing-nssdb-test.yml b/.github/workflows/ca-existing-nssdb-test.yml index 7add5a2a10c..8bcdcf72b67 100644 --- a/.github/workflows/ca-existing-nssdb-test.yml +++ b/.github/workflows/ca-existing-nssdb-test.yml @@ -61,12 +61,7 @@ jobs: docker exec pki pki-server cert-create \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ - --trust CT,C,C \ - ca_signing + docker exec pki pki-server cert-import ca_signing # check original cert docker exec pki pki \ @@ -90,11 +85,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ - ca_ocsp_signing + docker exec pki pki-server cert-import ca_ocsp_signing # check original cert docker exec pki pki \ @@ -118,12 +109,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ - --trust ,,P \ - ca_audit_signing + docker exec pki pki-server cert-import ca_audit_signing # check original cert docker exec pki pki \ @@ -147,11 +133,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ - subsystem + docker exec pki pki-server cert-import subsystem # check original cert docker exec pki pki \ @@ -175,11 +157,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ - sslserver + docker exec pki pki-server cert-import sslserver # check original cert docker exec pki pki \ diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py index 06f0da93de8..8a5d43472ec 100644 --- a/base/server/python/pki/server/cli/cert.py +++ b/base/server/python/pki/server/cli/cert.py @@ -792,27 +792,41 @@ def execute(self, argv): class CertImportCLI(pki.cli.CLI): + ''' + Import system certificate. + ''' + + help = '''\ + Usage: pki-server cert-import [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + --token Token to store the certificate + --nickname Certificate nickname + --input Certificate file + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + + Cert ID: + ca_signing, ca_ocsp_signing, ca_audit_signing, + kra_storage, kra_transport, kra_audit_signing, + ocsp_signing, ocsp_audit_signing, + tks_audit_signing, + tps_audit_signing, + subsystem, sslserver + ''' # noqa: E501 + def __init__(self): - super().__init__('import', 'Import system certificate.') + super().__init__('import', inspect.cleandoc(self.__class__.__doc__)) def print_help(self): - print('Usage: pki-server cert-import [OPTIONS] ') - # CertID: subsystem, sslserver, kra_storage, kra_transport, ca_ocsp_signing, - # ca_audit_signing, kra_audit_signing - # ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing - print() - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' --input Provide input file name.') - print(' -v, --verbose Run in verbose mode.') - print(' --debug Run in debug mode.') - print(' --help Show help message.') - print() + print(textwrap.dedent(self.__class__.help)) def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'input=', + 'instance=', 'token=', 'nickname=', 'input=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: @@ -821,12 +835,20 @@ def execute(self, argv): sys.exit(1) instance_name = 'pki-tomcat' + token = None + nickname = None cert_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a + elif o == '--token': + token = a + + elif o == '--nickname': + nickname = a + elif o == '--input': cert_file = a @@ -858,12 +880,14 @@ def execute(self, argv): logger.error('Invalid instance %s.', instance_name) sys.exit(1) - # Load the instance. Default: pki-tomcat instance.load() try: - # Load the cert into NSS db and update all corresponding subsystem's CS.cfg - instance.cert_import(cert_id, cert_file) + instance.cert_import( + cert_id, + cert_file=cert_file, + token=token, + nickname=nickname) except pki.server.PKIServerException as e: logger.error(str(e)) diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py index 215015fd2b9..93d4a76ffab 100644 --- a/base/server/python/pki/server/instance.py +++ b/base/server/python/pki/server/instance.py @@ -699,7 +699,12 @@ def cert_update_config(self, cert_id, cert): raise pki.server.PKIServerException( 'No subsystem can be loaded for %s in instance %s.' % (cert_id, self.name)) - def cert_import(self, cert_id, cert_file=None): + def cert_import( + self, + cert_id, + cert_file=None, + token=None, + nickname=None): """ Import cert from cert_file into NSS db with appropriate trust @@ -707,6 +712,10 @@ def cert_import(self, cert_id, cert_file=None): :type cert_id: str :param cert_file: Cert file to be imported into NSS db :type cert_file: str + :param token: Token to store the certificate + :type token: str + :param nickname: Certificate nickname + :type nickname: str :return: None :rtype: None """ @@ -722,13 +731,33 @@ def cert_import(self, cert_id, cert_file=None): subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) - if not subsystem_name: - subsystem_name = self.get_subsystems()[0].name - logger.debug('- subsystem: %s', subsystem_name) logger.debug('- cert tag: %s', cert_tag) - subsystem = self.get_subsystem(subsystem_name) + if subsystem_name: + # if cert ID contains subsystem name, get that subsystem + subsystem = self.get_subsystem(subsystem_name) + else: + # if cert ID does not contain subsystem name (i.e. sslserver, subsystem), + # get the first available subsystem + subsystems = self.get_subsystems() + if len(subsystems) > 0: + subsystem = subsystems[0] + else: + subsystem = None + + if subsystem: + # if the subsystem exists, use the nickname and token + # specified in CS.cfg + cert_info = subsystem.get_subsystem_cert(cert_tag) + nickname = cert_info['nickname'] + token = cert_info['token'] + else: + # if the subsystem does not exist, use the specified + # nickname and token + if not nickname: + # if nickname not specified, use the cert ID + nickname = cert_id # audit and CA signing cert require special flags set in NSSDB trust_attributes = None @@ -742,21 +771,19 @@ def cert_import(self, cert_id, cert_file=None): nssdb = self.open_nssdb() try: - cert = subsystem.get_subsystem_cert(cert_tag) - logger.debug('Checking existing %s cert', cert_id) if nssdb.get_cert( - nickname=cert['nickname'], - token=cert['token']): + nickname=nickname, + token=token): raise pki.server.PKIServerException( 'Certificate already exists: %s' % cert_id) logger.debug('Importing %s cert', cert_id) nssdb.add_cert( - nickname=cert['nickname'], - token=cert['token'], + nickname=nickname, + token=token, cert_file=cert_file, trust_attributes=trust_attributes) diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc index b109dafc0b9..66af11cf5b1 100644 --- a/docs/changes/v11.5.0/Tools-Changes.adoc +++ b/docs/changes/v11.5.0/Tools-Changes.adoc @@ -47,3 +47,8 @@ The `pki-server cert-request` command has been added to generate a key pair and The `pki-server cert-create` command has been updated to support creating permanent system certificate using the server's NSS database and RSNv3 serial numbers. + +== Update pki-server cert-import CLI == + +The `pki-server cert-import` command has been updated to provide +options to specify the certificate nickname and token name.