From f9b0d28df1d5df509ab700d2c99fbd28058b7530 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 14 Nov 2023 19:53:44 -0600 Subject: [PATCH] Update pki-server cert-create The pki-server cert-create has been updated to simplify creating a system cert. It will use the server's NSS database directly and RSNv3 serial numbers so it can be used before the CA subsystem is created or when the server is down. It will use the CSR in /etc/pki/pki-tomcat/certs and store the new cert in that folder as well. The tests for installing CA with existing NSS database and HSM have been updated to use this command. --- .github/workflows/ca-existing-hsm-test.yml | 59 ++++-------- .github/workflows/ca-existing-nssdb-test.yml | 49 ++++------ base/server/python/pki/server/cli/cert.py | 97 ++++++++++++-------- base/server/python/pki/server/instance.py | 59 +++++++++++- docs/changes/v11.5.0/Tools-Changes.adoc | 6 ++ 5 files changed, 159 insertions(+), 111 deletions(-) diff --git a/.github/workflows/ca-existing-hsm-test.yml b/.github/workflows/ca-existing-hsm-test.yml index 473fb2ef709..9ee9ff0c718 100644 --- a/.github/workflows/ca-existing-hsm-test.yml +++ b/.github/workflows/ca-existing-hsm-test.yml @@ -80,22 +80,17 @@ jobs: --subject "CN=CA Signing Certificate" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ - --csr /etc/pki/pki-tomcat/certs/ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --cert /tmp/ca_signing.crt + ca_signing docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/ca_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ --trust CT,C,C \ ca_signing @@ -124,23 +119,18 @@ jobs: --subject "CN=OCSP Signing Certificate" \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ - --cert /tmp/ca_ocsp_signing.crt + ca_ocsp_signing docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/ca_ocsp_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ ca_ocsp_signing # check original cert @@ -168,23 +158,18 @@ jobs: --subject "CN=Audit Signing Certificate" \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \ --ext /usr/share/pki/server/certs/audit_signing.conf \ - --cert /tmp/ca_audit_signing.crt + ca_audit_signing docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/ca_audit_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ --trust ,,P \ ca_audit_signing @@ -213,23 +198,18 @@ jobs: --subject "CN=Subsystem Certificate" \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/subsystem.csr \ --ext /usr/share/pki/server/certs/subsystem.conf \ - --cert /tmp/subsystem.crt + subsystem docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ --token HSM \ nss-cert-import \ - --cert /tmp/subsystem.crt \ + --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ subsystem # check original cert @@ -256,22 +236,17 @@ jobs: --subject "CN=pki.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-create \ --token HSM \ - nss-cert-issue \ --issuer HSM:ca_signing \ - --csr /etc/pki/pki-tomcat/certs/sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ - --cert /tmp/sslserver.crt + sslserver docker exec pki runuser -u pkiuser -- \ pki \ -d /etc/pki/pki-tomcat/alias \ -f /etc/pki/pki-tomcat/password.conf \ nss-cert-import \ - --cert /tmp/sslserver.crt \ + --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ sslserver # check original cert @@ -461,7 +436,9 @@ jobs: - name: Check CA admin cert run: | - docker exec pki pki client-cert-import ca_signing --ca-cert /tmp/ca_signing.crt + docker exec pki pki client-cert-import \ + --ca-cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ + ca_signing docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests diff --git a/.github/workflows/ca-existing-nssdb-test.yml b/.github/workflows/ca-existing-nssdb-test.yml index 0cbd547c2b5..7add5a2a10c 100644 --- a/.github/workflows/ca-existing-nssdb-test.yml +++ b/.github/workflows/ca-existing-nssdb-test.yml @@ -58,16 +58,13 @@ jobs: --subject "CN=CA Signing Certificate" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ - --csr /etc/pki/pki-tomcat/certs/ca_signing.csr \ + docker exec pki pki-server cert-create \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --cert ca_signing.crt + ca_signing docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert ca_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ --trust CT,C,C \ ca_signing @@ -89,17 +86,14 @@ jobs: --subject "CN=OCSP Signing Certificate" \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ - --cert ca_ocsp_signing.crt + ca_ocsp_signing docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert ca_ocsp_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ ca_ocsp_signing # check original cert @@ -120,17 +114,14 @@ jobs: --subject "CN=Audit Signing Certificate" \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \ --ext /usr/share/pki/server/certs/audit_signing.conf \ - --cert ca_audit_signing.crt + ca_audit_signing docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert ca_audit_signing.crt \ + --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ --trust ,,P \ ca_audit_signing @@ -152,17 +143,14 @@ jobs: --subject "CN=Subsystem Certificate" \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/subsystem.csr \ --ext /usr/share/pki/server/certs/subsystem.conf \ - --cert subsystem.crt + subsystem docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert subsystem.crt \ + --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ subsystem # check original cert @@ -183,17 +171,14 @@ jobs: --subject "CN=pki.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-issue \ + docker exec pki pki-server cert-create \ --issuer ca_signing \ - --csr /etc/pki/pki-tomcat/certs/sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ - --cert sslserver.crt + sslserver docker exec pki pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-import \ - --cert sslserver.crt \ + --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ sslserver # check original cert @@ -336,7 +321,9 @@ jobs: - name: Check CA admin cert run: | - docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt + docker exec pki pki client-cert-import \ + --ca-cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ + ca_signing docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py index 25f52597ff3..06f0da93de8 100644 --- a/base/server/python/pki/server/cli/cert.py +++ b/base/server/python/pki/server/cli/cert.py @@ -594,43 +594,57 @@ def execute(self, argv): class CertCreateCLI(pki.cli.CLI): + ''' + Create system certificate. + ''' + + help = '''\ + Usage: pki-server cert-create [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + --token Token that stores the signing key + --issuer Issuer certificate nickname + --ext Certificate extension configuration + -p, --port Secure port number (default: 8443) + -d Security database location (default: ~/.dogtag/nssdb) + -c Password for NSS database + -C Password file for NSS database + -n Client certificate nickname + --temp Create temporary certificate. + --serial Certificate serial number + --output Output file name + --renew Renew permanent certificate. + -u Username for basic authentication + (mutually exclusive to -n option) + -w Password for basic authentication + (mutually exclusive to -W option) + -W Password file for basic authentication + (mutually exclusive to -w option) + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + + Cert ID: + ca_signing, ca_ocsp_signing, ca_audit_signing, + kra_storage, kra_transport, kra_audit_signing, + ocsp_signing, ocsp_audit_signing, + tks_audit_signing, + tps_audit_signing, + subsystem, sslserver + ''' # noqa: E501 + def __init__(self): - super().__init__('create', 'Create system certificate.') + super().__init__('create', inspect.cleandoc(self.__class__.__doc__)) def print_help(self): - print('Usage: pki-server cert-create [OPTIONS] ') - # CertID: subsystem, sslserver, kra_storage, kra_transport, ca_ocsp_signing, - # ca_audit_signing, kra_audit_signing - # ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing - print() - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' -p, --port Secure port number (default: 8443).') - print(' -d Security database location ' - '(default: ~/.dogtag/nssdb)') - print(' -c NSS database password') - print(' -C Input file containing the password for the' - ' NSS database.') - print(' -n Client certificate nickname') - print(' --temp Create temporary certificate.') - print(' --serial Provide serial number for the certificate.') - print(' --output Provide output file name.') - print(' --renew Renew permanent certificate.') - print(' -u Username for basic authentication ' - '(mutually exclusive to -n option).') - print(' -w Password for basic authentication ' - '(mutually exclusive to -W option).') - print(' -W Password file for basic authentication' - '(mutually exclusive to -w option).') - print(' -v, --verbose Run in verbose mode.') - print(' --debug Run in debug mode.') - print(' --help Show help message.') - print() + print(textwrap.dedent(self.__class__.help)) def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:u:w:W:p:v', [ - 'instance=', 'temp', 'serial=', + 'instance=', 'token=', 'issuer=', 'ext=', + 'temp', 'serial=', 'output=', 'renew', 'port=', 'verbose', 'debug', 'help']) @@ -640,6 +654,9 @@ def execute(self, argv): sys.exit(1) instance_name = 'pki-tomcat' + token = None + issuer = None + ext_conf = None temp_cert = False serial = None client_nssdb = os.getenv('HOME') + '/.dogtag/nssdb' @@ -657,6 +674,15 @@ def execute(self, argv): if o in ('-i', '--instance'): instance_name = a + elif o == '--token': + token = a + + elif o == '--issuer': + issuer = a + + elif o == '--ext': + ext_conf = a + elif o == '-d': client_nssdb = a @@ -738,13 +764,6 @@ def execute(self, argv): with open(agent_password_file, encoding='utf-8') as f: agent_password = f.read().strip() - if not temp_cert: - # For permanent certificate, password of either NSS DB OR agent is required. - if not client_nssdb_password and not client_nssdb_pass_file and not agent_password: - logger.error('NSS database or agent password is required.') - self.print_help() - sys.exit(1) - cert_id = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) @@ -753,7 +772,6 @@ def execute(self, argv): logger.error('Invalid instance %s.', instance_name) sys.exit(1) - # Load the instance. Default: pki-tomcat instance.load() try: @@ -763,7 +781,10 @@ def execute(self, argv): client_nssdb_pass=client_nssdb_password, client_nssdb_pass_file=client_nssdb_pass_file, serial=serial, temp_cert=temp_cert, renew=renew, output=output, - username=agent_username, password=agent_password, secure_port=port) + username=agent_username, password=agent_password, secure_port=port, + token=token, + issuer=issuer, + ext_conf=ext_conf) except pki.server.PKIServerException as e: logger.error(str(e)) diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py index f3bc4598d8e..215015fd2b9 100644 --- a/base/server/python/pki/server/instance.py +++ b/base/server/python/pki/server/instance.py @@ -804,7 +804,10 @@ def cert_create( client_cert=None, client_nssdb=None, client_nssdb_pass=None, client_nssdb_pass_file=None, serial=None, temp_cert=False, renew=False, output=None, - secure_port='8443'): + secure_port='8443', + token=None, + issuer=None, + ext_conf=None): """ Create a new cert for the cert_id provided @@ -835,6 +838,12 @@ def cert_create( :type output: str :param secure_port: Secure port number in case of renewing a certificate :type secure_port: str + :param token: Token that stores the signing key + :type token: str + :param issuer: Issuer certificate nickname + :type issuer: str + :param ext_conf: Configuration file for certificate extension + :type ext_conf: str :return: None :rtype: None :raises pki.server.PKIServerException @@ -845,6 +854,54 @@ def cert_create( Note that client_nssdb should be specified in either case, as it contains the CA Certificate. """ + + if not temp_cert and not renew: + # creating permanent cert + + token = pki.nssdb.normalize_token(token) + csr_file = self.csr_file(cert_id) + cert_file = self.cert_file(cert_id) + + cmd = [ + '/usr/sbin/runuser', + '-u', self.user, '--', + 'pki', + '-d', self.nssdb_dir, + '-f', self.password_conf + ] + + if token: + cmd.extend(['--token', token]) + + cmd.extend([ + 'nss-cert-issue', + '--csr', csr_file, + '--cert', cert_file + ]) + + if issuer: + cmd.extend(['--issuer', issuer]) + + if ext_conf: + cmd.extend(['--ext', ext_conf]) + + if logger.isEnabledFor(logging.DEBUG): + cmd.append('--debug') + + elif logger.isEnabledFor(logging.INFO): + cmd.append('--verbose') + + logger.debug('Command: %s', ' '.join(cmd)) + + subprocess.check_call(cmd) + + return + + if not temp_cert: + # For permanent certificate, password of either NSS DB OR agent is required. + if not client_nssdb_pass and not client_nssdb_pass_file and not password: + raise Exception('NSS database or agent password is required.') + nssdb = self.open_nssdb() tmpdir = tempfile.mkdtemp() subsystem = None # used for system certs diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc index 5a362beddee..b109dafc0b9 100644 --- a/docs/changes/v11.5.0/Tools-Changes.adoc +++ b/docs/changes/v11.5.0/Tools-Changes.adoc @@ -41,3 +41,9 @@ Use `pki nss-cert-del` command instead. == New pki-server cert-request CLI == The `pki-server cert-request` command has been added to generate a key pair and an enrollment request for a system certificate. + +== Update pki-server cert-create CLI == + +The `pki-server cert-create` command has been updated to support +creating permanent system certificate using the server's NSS database +and RSNv3 serial numbers.