Enable nss cert renewal and disable the pem one
This commit is contained in:
parent
024d17d7f2
commit
62a0a5d953
38
genkey.pl
38
genkey.pl
@ -76,6 +76,7 @@ Usage: genkey [options] servername
|
|||||||
--renew CSR is for cert renewal, reusing existing key pair, openssl certs only
|
--renew CSR is for cert renewal, reusing existing key pair, openssl certs only
|
||||||
--cacert Renewal is for a CA certificate, needed for openssl certs only
|
--cacert Renewal is for a CA certificate, needed for openssl certs only
|
||||||
--nss Use the nss database for keys and certificates
|
--nss Use the nss database for keys and certificates
|
||||||
|
--gdb For package maintainers, to trace into the nss utilities
|
||||||
EOH
|
EOH
|
||||||
exit 1;
|
exit 1;
|
||||||
}
|
}
|
||||||
@ -128,12 +129,14 @@ my $cacert = '';
|
|||||||
my $modNssDbDir = '';
|
my $modNssDbDir = '';
|
||||||
my $nssNickname = '';
|
my $nssNickname = '';
|
||||||
my $nssDBPrefix = '';
|
my $nssDBPrefix = '';
|
||||||
|
my $gdb = '';
|
||||||
GetOptions('test|t' => \$test_mode,
|
GetOptions('test|t' => \$test_mode,
|
||||||
'genreq' => \$genreq_mode,
|
'genreq' => \$genreq_mode,
|
||||||
'days=i' => \$cert_days,
|
'days=i' => \$cert_days,
|
||||||
'renew' => \$renew,
|
'renew' => \$renew,
|
||||||
'cacert' => \$cacert,
|
'cacert' => \$cacert,
|
||||||
'nss|n' => \$nss,
|
'nss|n' => \$nss,
|
||||||
|
'gdb' => \$gdb,
|
||||||
'makeca' => \$ca_mode) or usage();
|
'makeca' => \$ca_mode) or usage();
|
||||||
usage() unless @ARGV != 0;
|
usage() unless @ARGV != 0;
|
||||||
$skip_random = $test_mode;
|
$skip_random = $test_mode;
|
||||||
@ -901,10 +904,12 @@ sub nssUtilCmd {
|
|||||||
Newt::Suspend();
|
Newt::Suspend();
|
||||||
print STDOUT "$cmd $args"."\n";
|
print STDOUT "$cmd $args"."\n";
|
||||||
$! = '';
|
$! = '';
|
||||||
|
if ($gdb) {
|
||||||
|
system("gdb $cmd");
|
||||||
|
} else {
|
||||||
system("$cmd $args");
|
system("$cmd $args");
|
||||||
# change to system("gdb $cmd");
|
|
||||||
# to break into the debugger
|
|
||||||
print STDERR "$cmd returned $!"."\n" if $!;
|
print STDERR "$cmd returned $!"."\n" if $!;
|
||||||
|
}
|
||||||
Newt::Resume();
|
Newt::Resume();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1006,7 +1011,7 @@ sub makeCertOpenSSL
|
|||||||
$args .= "-z $noisefile " if $noisefile;
|
$args .= "-z $noisefile " if $noisefile;
|
||||||
$args .= "-e $pwdfile " if $pwdfile;
|
$args .= "-e $pwdfile " if $pwdfile;
|
||||||
# there is no password when the
|
# there is no password when the
|
||||||
# user wants the key in the clar
|
# user wants the key in the clear
|
||||||
$args .= "-o $certfile ";
|
$args .= "-o $certfile ";
|
||||||
$args .= "-k $keyfile";
|
$args .= "-k $keyfile";
|
||||||
|
|
||||||
@ -1136,6 +1141,7 @@ sub renewCertOpenSSL
|
|||||||
$args .= "--renew $certfile ";
|
$args .= "--renew $certfile ";
|
||||||
$args .= "--input $keyfile ";
|
$args .= "--input $keyfile ";
|
||||||
$args .= "--cacert " if $cacert;
|
$args .= "--cacert " if $cacert;
|
||||||
|
$args .= "--filepwdnss $pwdfile " if $pwdfile;
|
||||||
$args .= "--validity $months ";
|
$args .= "--validity $months ";
|
||||||
$args .= "--out $csrfile ";
|
$args .= "--out $csrfile ";
|
||||||
|
|
||||||
@ -1341,31 +1347,19 @@ sub renewCert
|
|||||||
|
|
||||||
if ($nss) {
|
if ($nss) {
|
||||||
# Renew cert in the nss database
|
# Renew cert in the nss database
|
||||||
#
|
renewCertNSS($csrfile, $modNssDbDir, $nssDBPrefix,
|
||||||
# Must wait until NSS 3.12.2 becomes available with the fix for
|
$nssNickname, $days, $tmpPasswordFile);
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=346731
|
} else {
|
||||||
# <<certutil -R for cert renewal should derive the subject
|
# Disabling renewal of certs in PEM files until a future relase
|
||||||
# from the cert if none is specified>>
|
|
||||||
#
|
|
||||||
# renewCertNSS($csrfile, $modNssDbDir, $nssDBPrefix, $nssNickname, $days, $tmpPasswordFile);
|
|
||||||
#
|
|
||||||
# Until then bail out.
|
|
||||||
#
|
|
||||||
Newt::newtWinMessage("Error", "Close",
|
Newt::newtWinMessage("Error", "Close",
|
||||||
"Certificate renewal with NSS database not yet supported:".
|
"Certificate renewal from PEM files is not yet supported:".
|
||||||
"\n\nPress return to exit");
|
"\n\nPress return to exit");
|
||||||
Newt::Finished();
|
Newt::Finished();
|
||||||
exit 1;
|
exit 1;
|
||||||
|
|
||||||
} else {
|
# Enable this when ready
|
||||||
# Renew cert in a PEM file
|
# Renew cert in a PEM file
|
||||||
renewCertOpenSSL(
|
#renewCertOpenSSL($csrfile, $certfile, $keyfile, $cacert, $days);
|
||||||
$csrfile,
|
|
||||||
$certfile, # contains cert to renew
|
|
||||||
$keyfile, # contains encrypted private key
|
|
||||||
$cacert,
|
|
||||||
$days);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user