From 4fd1a6bb9aa8407fd9508c9cc94d9fde2739c3c8 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Mon, 2 Oct 2023 16:43:23 +0200
Subject: [PATCH 1/2] pki-server system certificate from nssdb

System certificates are stored in CS.cfg and nssdb. This is redundant,
all operations should use the same source for the certificate which is
the nssdb.

This modify the following command in order to get the certificate from
nssdb:

  [root@pki /] # pki-server cert-export --cert-file <filename>
---
 base/common/python/pki/nssdb.py            | 2 ++
 base/server/python/pki/server/subsystem.py | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 8da32e78094..0c3e93fb6c4 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -2009,6 +2009,8 @@ def get_cert_info(self, nickname, token=None):
         cert = {}
         cert['object'] = cert_obj
 
+        cert['data'] = self.get_cert(nickname=nickname, token=token, output_format='base64')
+
         cert['serial_number'] = cert_obj.serial_number
 
         cert['issuer'] = pki.convert_x509_name_to_dn(cert_obj.issuer)
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index d2ff3af4cc6..235aa602668 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -306,7 +306,6 @@ def get_cert_info(self, tag):
         cert['id'] = tag
         cert['nickname'] = self.config.get('%s.%s.nickname' % (self.name, tag))
         cert['token'] = self.config.get('%s.%s.tokenname' % (self.name, tag))
-        cert['data'] = self.config.get('%s.%s.cert' % (self.name, tag))
         cert['request'] = self.config.get('%s.%s.certreq' % (self.name, tag))
         cert['certusage'] = self.config.get('%s.cert.%s.certusage' % (self.name, tag))
 

From 51e7094bb2dcb9d6f8ab0200d1e6be15778e4a72 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Tue, 3 Oct 2023 13:10:37 +0200
Subject: [PATCH 2/2] cert-export read from config file or config folder

The command pki-server cert-export will read the certificate and the
relative request from the "<instance>/config/certs" folder if not found
in other places
---
 base/server/python/pki/server/cli/cert.py  | 28 +++++++++++++++-------
 base/server/python/pki/server/subsystem.py |  1 +
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py
index 8722df821ad..316f5277b3f 100644
--- a/base/server/python/pki/server/cli/cert.py
+++ b/base/server/python/pki/server/cli/cert.py
@@ -959,11 +959,17 @@ def execute(self, argv):
                 logger.info('Exporting %s certificate into %s.', cert_id, cert_file)
 
                 cert_data = cert.get('data')
-                if cert_data is None:
-                    logger.error('Unable to find certificate data for %s', cert_id)
-                    sys.exit(1)
+                if cert_data:
+                    cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
+                else:
+                    crt_path = os.path.join(instance.conf_dir, 'conf', 'certs', cert_id + '.crt')
+                    try:
+                        with open(crt_path, 'r', encoding='utf-8') as f:
+                            cert_data = ''.join(f.readlines())
+                    except FileNotFoundError:
+                        logger.error('Unable to find certificate data for %s', cert_id)
+                        sys.exit(1)
 
-                cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
                 with open(cert_file, 'w', encoding='utf-8') as f:
                     f.write(cert_data)
 
@@ -972,11 +978,17 @@ def execute(self, argv):
                 logger.info('Exporting %s CSR into %s.', cert_id, csr_file)
 
                 cert_request = cert.get('request')
-                if cert_request is None:
-                    logger.error('Unable to find certificate request for %s', cert_id)
-                    sys.exit(1)
+                if cert_request:
+                    csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem')
+                else:
+                    csr_path = os.path.join(instance.conf_dir, 'conf', 'certs', cert_id + '.csr')
+                    try:
+                        with open(csr_path, 'r', encoding='utf-8') as f:
+                            csr_data = ''.join(f.readlines())
+                    except FileNotFoundError:
+                        logger.error('Unable to find certificate request for %s', cert_id)
+                        sys.exit(1)
 
-                csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem')
                 with open(csr_file, 'w', encoding='utf-8') as f:
                     f.write(csr_data)
 
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index 235aa602668..d2ff3af4cc6 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -306,6 +306,7 @@ def get_cert_info(self, tag):
         cert['id'] = tag
         cert['nickname'] = self.config.get('%s.%s.nickname' % (self.name, tag))
         cert['token'] = self.config.get('%s.%s.tokenname' % (self.name, tag))
+        cert['data'] = self.config.get('%s.%s.cert' % (self.name, tag))
         cert['request'] = self.config.get('%s.%s.certreq' % (self.name, tag))
         cert['certusage'] = self.config.get('%s.cert.%s.certusage' % (self.name, tag))