Added support for true cert renewal, depends on recent upstream patch to
certutil targeted for nss 3.12.2, will patch downstream for now.
This commit is contained in:
parent
944ff68ec0
commit
054411e9e5
178
genkey.pl
178
genkey.pl
@ -70,9 +70,11 @@ sub usage
|
||||
print STDERR <<EOH;
|
||||
Usage: genkey [options] servername
|
||||
--test Test mode, faster seeding, overwrite existing key
|
||||
--genreq Just generate a CSR from an existing key
|
||||
--makeca Generate a private CA key instead
|
||||
--genreq Generate a Certificate Signing Request (CSR)
|
||||
--makeca Generate a self-signed certificate for a CA
|
||||
--days Days until expiry of self-signed certificate (default 30)
|
||||
--renew CSR is for cert renewal, reusing existing key pair
|
||||
--isca Renewal is for a CA certificate
|
||||
--nss Use the nss database for keys and certificates
|
||||
EOH
|
||||
exit 1;
|
||||
@ -121,12 +123,16 @@ my $genreq_mode = '';
|
||||
my $ca_mode = '';
|
||||
my $cert_days = 30;
|
||||
my $nss ='';
|
||||
my $renew = '';
|
||||
my $isca = '';
|
||||
my $modNssDbDir = '';
|
||||
my $nssNickname = '';
|
||||
my $nssDBPrefix = '';
|
||||
GetOptions('test|t' => \$test_mode,
|
||||
'genreq' => \$genreq_mode,
|
||||
'days=i' => \$cert_days,
|
||||
'renew' => \$renew,
|
||||
'isca' => \$isca,
|
||||
'nss|n' => \$nss,
|
||||
'makeca' => \$ca_mode) or usage();
|
||||
usage() unless @ARGV != 0;
|
||||
@ -186,6 +192,19 @@ if (!$genreq_mode && -f $keyfile && !$overwrite_key) {
|
||||
Newt::Finished();
|
||||
exit 1;
|
||||
}
|
||||
} else {
|
||||
# check for the key in the database
|
||||
if (!$genreq_mode && keyInDatabase($nssNickname,$modNssDbDir) &&
|
||||
!$renew && !$overwrite_key) {
|
||||
Newt::newtWinMessage("Error", "Close",
|
||||
"You already have a key file for this host in the datatabase:\n\n" .
|
||||
"$modNssDbDir" ." with nickname ". "$nssNickname" . "\n\n" .
|
||||
"This script will not overwrite an existing key.\n" .
|
||||
"You will need to remove or rename the database in order to" .
|
||||
"generate a new key for this host, then rerun the command");
|
||||
Newt::Finished();
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
######################################################################
|
||||
@ -204,8 +223,9 @@ if (!$genreq_mode && -f $keyfile && !$overwrite_key) {
|
||||
my @windows;
|
||||
if ($genreq_mode) {
|
||||
$useca = 1;
|
||||
@windows = (
|
||||
getkeysizeWindow,
|
||||
@windows = $renew
|
||||
? (passwordWindow,genReqWindow,)
|
||||
: (getkeysizeWindow,
|
||||
customKeySizeWindow,
|
||||
getRandomDataWindow,
|
||||
passwordWindow,
|
||||
@ -393,6 +413,36 @@ sub clearSensitiveData {
|
||||
}
|
||||
}
|
||||
|
||||
# Remove a directory and its contents
|
||||
sub removeDirectory {
|
||||
my ($dir) = @_;
|
||||
if (-f $dir) {
|
||||
opendir(DOOMED, $dir) || die("Cannot open directory");
|
||||
my @thefiles= readdir(DOOMED);
|
||||
foreach my $file (@thefiles) {
|
||||
unlink @file;
|
||||
}
|
||||
closedir(DOOMED);
|
||||
rmdir $dir;
|
||||
}
|
||||
}
|
||||
|
||||
# Print error message
|
||||
sub printError {
|
||||
my ($msg) = @_;
|
||||
Newt::Suspend();
|
||||
print STDERR "$msg\n";
|
||||
Newt::Resume();
|
||||
}
|
||||
|
||||
# Is the given key in the database?
|
||||
sub keyInDatabase {
|
||||
my ($nickname, $dbdir) = @_;
|
||||
my $tmp = "tmp";
|
||||
my $answer = `$bindir/certutil -L -d $dbdir | grep $nickname`;
|
||||
return $answer;
|
||||
}
|
||||
|
||||
######################################################################
|
||||
# The window functions
|
||||
|
||||
@ -736,6 +786,7 @@ EOT
|
||||
sub passwordWindow
|
||||
{
|
||||
return moduleAccesPasswordWindow() if $nss;
|
||||
return "Next" if $renew;
|
||||
|
||||
my $message = <<EOT;
|
||||
At this stage you can set the passphrase on your private key. If you
|
||||
@ -869,7 +920,8 @@ sub makeCertNSS
|
||||
# If no days specified it's a ca so use 2 years
|
||||
use integer;
|
||||
my $months = $days / 30;
|
||||
my $trustargs = "\"" . "TCu,TCu,TCuw". "\"";
|
||||
my $trustargs = $ca_mode ? "CT,," : "u,,";
|
||||
$trustargs = "\"" . $trustargs. "\"";
|
||||
|
||||
my $args = "-S ";
|
||||
$args .= "-n $nickname ";
|
||||
@ -1032,6 +1084,69 @@ sub genRequestOpenSSL
|
||||
}
|
||||
}
|
||||
|
||||
# Renew a certificate which is stored in the nss database
|
||||
sub renewCertNSS
|
||||
{
|
||||
my ($csrfile, $dbdir, $dbprefix, $nickname, $days, $pwdfile) = @_;
|
||||
|
||||
use integer;
|
||||
my $months = $days ? $days / 30 : 24;
|
||||
|
||||
# Build the arguments for a certificate renewal request
|
||||
# This is a request where we reuse the existing key pair
|
||||
|
||||
my $args = "-R ";
|
||||
$args .= "-d $dbdir ";
|
||||
$args .= "-p $dbprefix " if $dbprefix;
|
||||
$args .= "-a "; ## using ascii
|
||||
$args .= "-k $nickname "; ## pass cert nickname as key id
|
||||
$args .= "-f $pwdfile " if $pwdfile;
|
||||
$args .= "-v $months ";
|
||||
$args .= "-o $csrfile ";
|
||||
|
||||
nssUtilCmd("$bindir/certutil", $args);
|
||||
|
||||
if (!-f $csrfile) {
|
||||
Newt::newtWinMessage("Error", "Close",
|
||||
"Was not able to create a CSR for this ".
|
||||
"host:\n\nPress return to exit");
|
||||
Newt::Finished();
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
# Renew a certificate which is stored in a PEM file
|
||||
sub renewCertOpenSSL
|
||||
{
|
||||
my ($csrfile, # output
|
||||
$certfile,$keyfile,$days,$isca) = @_;
|
||||
|
||||
use integer;
|
||||
my $months = $days ? $days / 30 : 24;
|
||||
|
||||
# Build the arguments for a certificate renewal request
|
||||
# This is a request where we reuse the existing key pair
|
||||
|
||||
my $args = "--command genreq ";
|
||||
$args .= "--renew $certfile ";
|
||||
$args .= "--input $keyfile ";
|
||||
$args .= "--validity $months ";
|
||||
$args .= "--out $csrfile ";
|
||||
|
||||
nssUtilCmd("$bindir/keyutil", $args);
|
||||
|
||||
unlink($noisefile);
|
||||
Newt::Resume();
|
||||
|
||||
if (!-f $csrfile) {
|
||||
Newt::newtWinMessage("Error", "Close",
|
||||
"Unable to create a cert signing request for this ".
|
||||
"host:\n\nPress return to exit");
|
||||
Newt::Finished();
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
sub AddField
|
||||
{
|
||||
my ($panel, $row, $msg, $default, $width, $topspace, $flags) = (@_, 0, 0);
|
||||
@ -1193,12 +1308,61 @@ EOT
|
||||
return $ret;
|
||||
}
|
||||
|
||||
# Cert signing request generation for renewal
|
||||
sub renewCert
|
||||
{
|
||||
my ($csrfile) = @_;
|
||||
|
||||
my $tempDbDir = "/tmp/nss.".$$;
|
||||
|
||||
# Get a comfirmation
|
||||
my $msg = "You are about to issue a certificate renewal";
|
||||
my $panel = Newt::Panel(1, 2, "Certificate Renewal");
|
||||
$panel->Add(0, 0,
|
||||
Newt::TextboxReflowed(60, 10, 10, 0,
|
||||
"Would you like to send a Certificate Request" .
|
||||
"for\n\n$servername".
|
||||
"\nto a Certificate Authority (CA)?"));
|
||||
|
||||
$panel->Add(0, 1, DoubleButton("Yes", "No"));
|
||||
$ret = &RunForm($panel);
|
||||
$panel->Hide();
|
||||
undef $panel;
|
||||
|
||||
return "Cancel" if $ret eq "Cancel";
|
||||
|
||||
# Cert to renew could be in the nss database or in a pem file
|
||||
|
||||
if ($nss) {
|
||||
# Renew cert in the nss database
|
||||
renewCertNSS(
|
||||
$csrfile,
|
||||
$modNssDbDir,
|
||||
$nssDBPrefix,
|
||||
$nssNickname,
|
||||
$days,
|
||||
$tmpPasswordFile);
|
||||
|
||||
} else {
|
||||
# Renew cert in a PEM file
|
||||
renewCertOpenSSL(
|
||||
$csrfile,
|
||||
$certfile, # contains cert to renew
|
||||
$keyfile, # contains encrypted private key
|
||||
$days,
|
||||
$isca);
|
||||
|
||||
## FIXME don't harcode password - keypwdfile and I
|
||||
## though it was the p12 file pwd
|
||||
}
|
||||
}
|
||||
|
||||
sub genReqWindow
|
||||
{
|
||||
return "Skip" unless $useca;
|
||||
|
||||
$keyfile = $ssltop."/private/".$servername.".key";
|
||||
$certfile = $ssltop."/certs/".$servername.".cert";
|
||||
$certfile = $ssltop."/certs/".$servername.".crt";
|
||||
|
||||
$num = 0;
|
||||
while (-f $ssltop."/certs/".$servername.".$num.csr") {
|
||||
@ -1206,6 +1370,8 @@ sub genReqWindow
|
||||
}
|
||||
$csrfile = $ssltop."/certs/".$servername.".$num.csr";
|
||||
|
||||
return renewCert($csrfile) if $renew;
|
||||
|
||||
my $msg = "You are about to be asked to enter information that will be ".
|
||||
"incorporated into your certificate request to a CA. What you are about to ".
|
||||
"enter is what is called a Distinguished Name or a DN. There are ".
|
||||
|
Loading…
Reference in New Issue
Block a user