diff --git a/.github/workflows/ca-existing-hsm-test.yml b/.github/workflows/ca-existing-hsm-test.yml index 473fb2ef709..9ee9ff0c718 100644 --- a/.github/workflows/ca-existing-hsm-test.yml +++ b/.github/workflows/ca-existing-hsm-test.yml @@ -80,22 +80,17 @@ jobs: --subject "CN=CA Signing Certificate" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ - --csr /etc/pki/pki-tomcat/certs/ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --cert /tmp/ca_signing.crt + ca_signing docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/ca_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ --trust CT,C,C \ ca_signing @@ -124,23 +119,18 @@ jobs: --subject "CN=OCSP Signing Certificate" \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ - --cert /tmp/ca_ocsp_signing.crt + ca_ocsp_signing docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/ca_ocsp_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ ca_ocsp_signing # check original cert @@ -168,23 +158,18 @@ jobs: --subject "CN=Audit Signing Certificate" \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \ --ext /usr/share/pki/server/certs/audit_signing.conf \ - --cert /tmp/ca_audit_signing.crt + ca_audit_signing docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/ca_audit_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ --trust ,,P \ ca_audit_signing @@ -213,23 +198,18 @@ jobs: --subject "CN=Subsystem Certificate" \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/subsystem.csr \ --ext /usr/share/pki/server/certs/subsystem.conf \ - --cert /tmp/subsystem.crt + subsystem docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/subsystem.crt \ + --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ subsystem # check original cert @@ -256,22 +236,17 @@ jobs: --subject "CN=pki.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ - --cert /tmp/sslserver.crt + sslserver docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ nss-cert-import \ - --cert /tmp/sslserver.crt \ + --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ sslserver # check original cert @@ -461,7 +436,9 @@ jobs: - name: Check CA admin cert run: | - docker exec pki pki client-cert-import ca_signing --ca-cert /tmp/ca_signing.crt + docker exec pki pki client-cert-import \ + --ca-cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ + ca_signing docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests diff --git a/.github/workflows/ca-existing-nssdb-test.yml b/.github/workflows/ca-existing-nssdb-test.yml index 0cbd547c2b5..7add5a2a10c 100644 --- a/.github/workflows/ca-existing-nssdb-test.yml +++ b/.github/workflows/ca-existing-nssdb-test.yml @@ -58,16 +58,13 @@ jobs: --subject "CN=CA Signing Certificate" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ - --csr /etc/pki/pki-tomcat/certs/ca_signing.csr \ + docker exec pki pki-server cert-create \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --cert ca_signing.crt + ca_signing docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert ca_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ --trust CT,C,C \ ca_signing @@ -89,17 +86,14 @@ jobs: --subject "CN=OCSP Signing Certificate" \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ - --cert ca_ocsp_signing.crt + ca_ocsp_signing docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert ca_ocsp_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ ca_ocsp_signing # check original cert @@ -120,17 +114,14 @@ jobs: --subject "CN=Audit Signing Certificate" \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \ --ext /usr/share/pki/server/certs/audit_signing.conf \ - --cert ca_audit_signing.crt + ca_audit_signing docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert ca_audit_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ --trust ,,P \ ca_audit_signing @@ -152,17 +143,14 @@ jobs: --subject "CN=Subsystem Certificate" \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/subsystem.csr \ --ext /usr/share/pki/server/certs/subsystem.conf \ - --cert subsystem.crt + subsystem docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert subsystem.crt \ + --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ subsystem # check original cert @@ -183,17 +171,14 @@ jobs: --subject "CN=pki.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ - --cert sslserver.crt + sslserver docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert sslserver.crt \ + --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ sslserver # check original cert @@ -336,7 +321,9 @@ jobs: - name: Check CA admin cert run: | - docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt + docker exec pki pki client-cert-import \ + --ca-cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ + ca_signing docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py index 25f52597ff3..06f0da93de8 100644 --- a/base/server/python/pki/server/cli/cert.py +++ b/base/server/python/pki/server/cli/cert.py @@ -594,43 +594,57 @@ def execute(self, argv): class CertCreateCLI(pki.cli.CLI): + ''' + Create system certificate. + ''' + + help = '''\ + Usage: pki-server cert-create [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + --token Token that stores the signing key + --issuer Issuer certificate nickname + --ext Certificate extension configuration + -p, --port Secure port number (default: 8443) + -d Security database location (default: ~/.dogtag/nssdb) + -c Password for NSS database + -C Password file for NSS database + -n Client certificate nickname + --temp Create temporary certificate. + --serial Certificate serial number + --output Output file name + --renew Renew permanent certificate. + -u Username for basic authentication + (mutually exclusive to -n option) + -w Password for basic authentication + (mutually exclusive to -W option) + -W Password file for basic authentication + (mutually exclusive to -w option) + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + + Cert ID: + ca_signing, ca_ocsp_signing, ca_audit_signing, + kra_storage, kra_transport, kra_audit_signing, + ocsp_signing, ocsp_audit_signing, + tks_audit_signing, + tps_audit_signing, + subsystem, sslserver + ''' # noqa: E501 + def __init__(self): - super().__init__('create', 'Create system certificate.') + super().__init__('create', inspect.cleandoc(self.__class__.__doc__)) def print_help(self): - print('Usage: pki-server cert-create [OPTIONS] ') - # CertID: subsystem, sslserver, kra_storage, kra_transport, ca_ocsp_signing, - # ca_audit_signing, kra_audit_signing - # ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing - print() - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' -p, --port Secure port number (default: 8443).') - print(' -d Security database location ' - '(default: ~/.dogtag/nssdb)') - print(' -c NSS database password') - print(' -C Input file containing the password for the' - ' NSS database.') - print(' -n Client certificate nickname') - print(' --temp Create temporary certificate.') - print(' --serial Provide serial number for the certificate.') - print(' --output Provide output file name.') - print(' --renew Renew permanent certificate.') - print(' -u Username for basic authentication ' - '(mutually exclusive to -n option).') - print(' -w Password for basic authentication ' - '(mutually exclusive to -W option).') - print(' -W Password file for basic authentication' - '(mutually exclusive to -w option).') - print(' -v, --verbose Run in verbose mode.') - print(' --debug Run in debug mode.') - print(' --help Show help message.') - print() + print(textwrap.dedent(self.__class__.help)) def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:u:w:W:p:v', [ - 'instance=', 'temp', 'serial=', + 'instance=', 'token=', 'issuer=', 'ext=', + 'temp', 'serial=', 'output=', 'renew', 'port=', 'verbose', 'debug', 'help']) @@ -640,6 +654,9 @@ def execute(self, argv): sys.exit(1) instance_name = 'pki-tomcat' + token = None + issuer = None + ext_conf = None temp_cert = False serial = None client_nssdb = os.getenv('HOME') + '/.dogtag/nssdb' @@ -657,6 +674,15 @@ def execute(self, argv): if o in ('-i', '--instance'): instance_name = a + elif o == '--token': + token = a + + elif o == '--issuer': + issuer = a + + elif o == '--ext': + ext_conf = a + elif o == '-d': client_nssdb = a @@ -738,13 +764,6 @@ def execute(self, argv): with open(agent_password_file, encoding='utf-8') as f: agent_password = f.read().strip() - if not temp_cert: - # For permanent certificate, password of either NSS DB OR agent is required. - if not client_nssdb_password and not client_nssdb_pass_file and not agent_password: - logger.error('NSS database or agent password is required.') - self.print_help() - sys.exit(1) - cert_id = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) @@ -753,7 +772,6 @@ def execute(self, argv): logger.error('Invalid instance %s.', instance_name) sys.exit(1) - # Load the instance. Default: pki-tomcat instance.load() try: @@ -763,7 +781,10 @@ def execute(self, argv): client_nssdb_pass=client_nssdb_password, client_nssdb_pass_file=client_nssdb_pass_file, serial=serial, temp_cert=temp_cert, renew=renew, output=output, - username=agent_username, password=agent_password, secure_port=port) + username=agent_username, password=agent_password, secure_port=port, + token=token, + issuer=issuer, + ext_conf=ext_conf) except pki.server.PKIServerException as e: logger.error(str(e)) diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py index f3bc4598d8e..215015fd2b9 100644 --- a/base/server/python/pki/server/instance.py +++ b/base/server/python/pki/server/instance.py @@ -804,7 +804,10 @@ def cert_create( client_cert=None, client_nssdb=None, client_nssdb_pass=None, client_nssdb_pass_file=None, serial=None, temp_cert=False, renew=False, output=None, - secure_port='8443'): + secure_port='8443', + token=None, + issuer=None, + ext_conf=None): """ Create a new cert for the cert_id provided @@ -835,6 +838,12 @@ def cert_create( :type output: str :param secure_port: Secure port number in case of renewing a certificate :type secure_port: str + :param token: Token that stores the signing key + :type token: str + :param issuer: Issuer certificate nickname + :type issuer: str + :param ext_conf: Configuration file for certificate extension + :type ext_conf: str :return: None :rtype: None :raises pki.server.PKIServerException @@ -845,6 +854,54 @@ def cert_create( Note that client_nssdb should be specified in either case, as it contains the CA Certificate. """ + + if not temp_cert and not renew: + # creating permanent cert + + token = pki.nssdb.normalize_token(token) + csr_file = self.csr_file(cert_id) + cert_file = self.cert_file(cert_id) + + cmd = [ + '/usr/sbin/runuser', + '-u', self.user, '--', + 'pki', + '-d', self.nssdb_dir, + '-f', self.password_conf + ] + + if token: + cmd.extend(['--token', token]) + + cmd.extend([ + 'nss-cert-issue', + '--csr', csr_file, + '--cert', cert_file + ]) + + if issuer: + cmd.extend(['--issuer', issuer]) + + if ext_conf: + cmd.extend(['--ext', ext_conf]) + + if logger.isEnabledFor(logging.DEBUG): + cmd.append('--debug') + + elif logger.isEnabledFor(logging.INFO): + cmd.append('--verbose') + + logger.debug('Command: %s', ' '.join(cmd)) + + subprocess.check_call(cmd) + + return + + if not temp_cert: + # For permanent certificate, password of either NSS DB OR agent is required. + if not client_nssdb_pass and not client_nssdb_pass_file and not password: + raise Exception('NSS database or agent password is required.') + nssdb = self.open_nssdb() tmpdir = tempfile.mkdtemp() subsystem = None # used for system certs diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc index 5a362beddee..b109dafc0b9 100644 --- a/docs/changes/v11.5.0/Tools-Changes.adoc +++ b/docs/changes/v11.5.0/Tools-Changes.adoc @@ -41,3 +41,9 @@ Use `pki nss-cert-del` command instead. == New pki-server cert-request CLI == The `pki-server cert-request` command has been added to generate a key pair and an enrollment request for a system certificate. + +== Update pki-server cert-create CLI == + +The `pki-server cert-create` command has been updated to support +creating permanent system certificate using the server's NSS database +and RSNv3 serial numbers.