Skip to content

Commit

Permalink
Add pki-server cert-request
Browse files Browse the repository at this point in the history 
The pki-server cert-request has been added to simplify creating
CSRs for system certs so it's no longer necessary to specify the
NSS database path, password file, CSR path, and also to fix the
file ownership.

The cert_folder(), cert_file(), and csr_file() in PKIInstance
have been moved into PKIServer so they can be reused. The
cert_folder() has been renamed to certs_dir() for consistency.

The PKIServer.create() and instance_layout.py have been updated
to create the certs folder so it's guaranteed to exist.

The RemoveCertCSRfromConfig upgrade script has been updated to
use the new methods in PKIServer.

The tests for installing CA with existing NSS database and
existing HSM have been updated to use the new command.
  • Loading branch information
@edewata
edewata committed Nov 14, 2023
1 parent 0222dc4 commit b62545e
Show file tree
Hide file tree
Showing 8 changed files with 177 additions and 82 deletions.
55 changes: 15 additions & 40 deletions .github/workflows/ca-existing-hsm-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,22 +75,18 @@ jobs:
- name: Create CA signing cert in HSM
run: |
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
docker exec pki pki-server cert-request \
--token HSM \
nss-cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr /tmp/ca_signing.csr
ca_signing
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
--token HSM \
nss-cert-issue \
--csr /tmp/ca_signing.csr \
--csr /etc/pki/pki-tomcat/certs/ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert /tmp/ca_signing.crt
docker exec pki runuser -u pkiuser -- \
Expand Down Expand Up @@ -123,23 +119,19 @@ jobs:
- name: Create CA OCSP signing cert in HSM
run: |
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
docker exec pki pki-server cert-request \
--token HSM \
nss-cert-request \
--subject "CN=OCSP Signing Certificate" \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
--csr /tmp/ca_ocsp_signing.csr
ca_ocsp_signing
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
--token HSM \
nss-cert-issue \
--issuer HSM:ca_signing \
--csr /tmp/ca_ocsp_signing.csr \
--csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
--cert /tmp/ca_ocsp_signing.crt
docker exec pki runuser -u pkiuser -- \
Expand Down Expand Up @@ -171,23 +163,19 @@ jobs:
- name: Create CA audit signing cert in HSM
run: |
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
docker exec pki pki-server cert-request \
--token HSM \
nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr /tmp/ca_audit_signing.csr
ca_audit_signing
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
--token HSM \
nss-cert-issue \
--issuer HSM:ca_signing \
--csr /tmp/ca_audit_signing.csr \
--csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert /tmp/ca_audit_signing.crt
docker exec pki runuser -u pkiuser -- \
Expand Down Expand Up @@ -220,23 +208,19 @@ jobs:
- name: Create subsystem cert in HSM
run: |
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
docker exec pki pki-server cert-request \
--token HSM \
nss-cert-request \
--subject "CN=Subsystem Certificate" \
--ext /usr/share/pki/server/certs/subsystem.conf \
--csr /tmp/subsystem.csr
subsystem
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
--token HSM \
nss-cert-issue \
--issuer HSM:ca_signing \
--csr /tmp/subsystem.csr \
--csr /etc/pki/pki-tomcat/certs/subsystem.csr \
--ext /usr/share/pki/server/certs/subsystem.conf \
--cert /tmp/subsystem.crt
docker exec pki runuser -u pkiuser -- \
Expand Down Expand Up @@ -268,22 +252,18 @@ jobs:
- name: Create SSL server cert in server's NSS database
run: |
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
nss-cert-request \
docker exec pki pki-server cert-request \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr /tmp/sslserver.csr
sslserver
docker exec pki runuser -u pkiuser -- \
pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
--token HSM \
nss-cert-issue \
--issuer HSM:ca_signing \
--csr /tmp/sslserver.csr \
--csr /etc/pki/pki-tomcat/certs/sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert /tmp/sslserver.crt
docker exec pki runuser -u pkiuser -- \
Expand Down Expand Up @@ -354,11 +334,6 @@ jobs:
-D pki_audit_signing_token=HSM \
-D pki_subsystem_token=HSM \
-D pki_sslserver_token=internal \
-D pki_ca_signing_csr_path=/tmp/ca_signing.csr \
-D pki_ocsp_signing_csr_path=/tmp/ca_ocsp_signing.csr \
-D pki_audit_signing_csr_path=/tmp/ca_audit_signing.csr \
-D pki_subsystem_csr_path=/tmp/subsystem.csr \
-D pki_sslserver_csr_path=/tmp/sslserver.csr \
-D pki_admin_cert_path=/tmp/admin.crt \
-D pki_admin_csr_path=/tmp/admin.csr \
-v
Expand Down
32 changes: 10 additions & 22 deletions .github/workflows/ca-existing-nssdb-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,10 @@ jobs:
- name: Create CA signing cert in server's NSS database
run: |
docker exec pki mkdir -p /etc/pki/pki-tomcat/certs
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-request \
docker exec pki pki-server cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr /etc/pki/pki-tomcat/certs/ca_signing.csr
ca_signing
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-issue \
Expand Down Expand Up @@ -88,12 +85,10 @@ jobs:
- name: Create CA OCSP signing cert in server's NSS database
run: |
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-request \
docker exec pki pki-server cert-request \
--subject "CN=OCSP Signing Certificate" \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
--csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr
ca_ocsp_signing
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-issue \
Expand Down Expand Up @@ -121,12 +116,10 @@ jobs:
- name: Create CA audit signing cert in server's NSS database
run: |
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-request \
docker exec pki pki-server cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr
ca_audit_signing
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-issue \
Expand Down Expand Up @@ -155,12 +148,10 @@ jobs:
- name: Create subsystem cert in server's NSS database
run: |
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-request \
docker exec pki pki-server cert-request \
--subject "CN=Subsystem Certificate" \
--ext /usr/share/pki/server/certs/subsystem.conf \
--csr /etc/pki/pki-tomcat/certs/subsystem.csr
subsystem
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-issue \
Expand Down Expand Up @@ -188,12 +179,10 @@ jobs:
- name: Create SSL server cert in server's NSS database
run: |
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-request \
docker exec pki pki-server cert-request \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr /etc/pki/pki-tomcat/certs/sslserver.csr
sslserver
docker exec pki pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-issue \
Expand Down Expand Up @@ -243,7 +232,6 @@ jobs:
- name: Install CA with existing NSS database
run: |
docker exec pki chown -R pkiuser:pkiuser /etc/pki/pki-tomcat/certs
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
Expand Down
18 changes: 18 additions & 0 deletions base/server/python/pki/server/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ def bin_dir(self):
def conf_dir(self):
return os.path.join(self.base_dir, 'conf')

@property
def certs_dir(self):
return os.path.join(self.conf_dir, 'certs')

@property
def lib_dir(self):
return os.path.join(self.base_dir, 'lib')
Expand Down Expand Up @@ -307,6 +311,18 @@ def export_ca_cert(self):

# TODO: handle other types of HTTP connector

def cert_file(self, cert_id):
'''
Compute name of certificate under instance certs folder.
'''
return os.path.join(self.certs_dir, cert_id + '.crt')

def csr_file(self, cert_id):
'''
Compute name of CSR under instance certs folder.
'''
return os.path.join(self.certs_dir, cert_id + '.csr')

def create_catalina_policy(self):

logger.info('Creating catalina.policy')
Expand Down Expand Up @@ -685,6 +701,8 @@ def create(self, force=False):

self.create_conf_dir(exist_ok=True)

self.makedirs(self.certs_dir, exist_ok=True)

catalina_policy = os.path.join(Tomcat.CONF_DIR, 'catalina.policy')
self.copy(catalina_policy, self.catalina_policy, force=force)

Expand Down
91 changes: 91 additions & 0 deletions base/server/python/pki/server/cli/cert.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ def __init__(self):
self.add_module(CertShowCLI())
self.add_module(CertValidateCLI())
self.add_module(CertUpdateCLI())
self.add_module(CertRequestCLI())
self.add_module(CertCreateCLI())
self.add_module(CertImportCLI())
self.add_module(CertExportCLI())
Expand Down Expand Up @@ -502,6 +503,96 @@ def execute(self, argv):
self.print_message('Updated "%s" system certificate' % cert_id)


class CertRequestCLI(pki.cli.CLI):
'''
Generate a key pair and an enrollment request for a system certificate.
'''

help = '''\
Usage: pki-server cert-request [OPTIONS] <Cert ID>
-i, --instance <instance ID> Instance ID (default: pki-tomcat)
--token <name> Token for storing the key pair
--subject <DN> Subject DN
--ext <path> Configuration file for CSR extension
-v, --verbose Run in verbose mode.
--debug Run in debug mode.
--help Show help message.
''' # noqa: E501

def __init__(self):
super().__init__('request', inspect.cleandoc(self.__class__.__doc__))

def print_help(self):
print(textwrap.dedent(self.__class__.help))

def execute(self, argv):

try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'token=', 'subject=', 'ext=',
'verbose', 'debug', 'help'])

except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)

instance_name = 'pki-tomcat'
token = None
subject_dn = None
ext_conf = None

for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a

elif o == '--token':
token = a

elif o == '--subject':
subject_dn = a

elif o == '--ext':
ext_conf = a

elif o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)

elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.INFO)

elif o == '--help':
self.print_help()
sys.exit()

else:
logger.error('Invalid option: %s', o)
self.print_help()
sys.exit(1)

if len(args) < 1:
raise Exception('Missing certificate ID')

if subject_dn is None:
raise Exception('Missing subject DN')

cert_id = args[0]

instance = pki.server.instance.PKIServerFactory.create(instance_name)

if not instance.exists():
raise Exception('Invalid instance: %s' % instance_name)

instance.load()

instance.cert_request(
cert_id,
subject_dn,
token=token,
ext_conf=ext_conf)


class CertCreateCLI(pki.cli.CLI):
def __init__(self):
super().__init__('create', 'Create system certificate.')
Expand Down
2 changes: 2 additions & 0 deletions base/server/python/pki/server/deployment/scriptlets/instance_layout.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ def spawn(self, deployer):
logger.info('Creating %s', instance.conf_dir)
instance.makedirs(instance.conf_dir, exist_ok=True)

instance.makedirs(instance.certs_dir, exist_ok=True)

# Configuring internal token password

internal_token = deployer.mdict['pki_self_signed_token']
Expand Down
Loading

0 comments on commit b62545e

Please sign in to comment.