Disabled cert renewal for certs on the database until a patch for certutil

comes downstream
2008-10-11 19:43:38 +00:00 · 2008-10-11 19:43:38 +00:00 · d33501a69b
parent 1e54efe076
commit d33501a69b
1 changed files with 28 additions and 16 deletions
--- a/genkey.pl
+++ b/genkey.pl
@ -73,7 +73,7 @@ Usage: genkey [options] servername
    --genreq Generate a Certificate Signing Request (CSR)
    --makeca Generate a self-signed certificate for a CA
    --days   Days until expiry of self-signed certificate (default 30)
-    --renew  CSR is for cert renewal, reusing existing key pair
+    --renew  CSR is for cert renewal, reusing existing key pair, openssl certs only
    --isca   Renewal is for a CA certificate
    --nss    Use the nss database for keys and certificates
 EOH
@ -129,12 +129,12 @@ my $modNssDbDir = '';
 my $nssNickname = '';
 my $nssDBPrefix = '';
 GetOptions('test|t' => \$test_mode, 
-	   'genreq' => \$genreq_mode,
+           'genreq' => \$genreq_mode,
           'days=i' => \$cert_days,
-	   'renew'  => \$renew,
-	   'isca'   => \$isca,
+	       'renew'  => \$renew,
+           'isca'   => \$isca,
           'nss|n'  => \$nss,
-	   'makeca' => \$ca_mode) or usage();
+	       'makeca' => \$ca_mode) or usage();
 usage() unless @ARGV != 0;
 $skip_random = $test_mode;
 $overwrite_key = $test_mode;
@ -1085,6 +1085,11 @@ sub genRequestOpenSSL
 }

 # Renew a certificate which is stored in the nss database
+# Do not call this routine yet as certutil does not support
+# certificate renewal in a convenient way for scripts. We must
+# wait until NSS 3.12.2 becomes available with the fix for
+# https://bugzilla.redhat.com/show_bug.cgi?id=346731
+# for this routine to work
 sub renewCertNSS
 {
    my ($csrfile, $dbdir, $dbprefix, $nickname, $days, $pwdfile) = @_;
@ -1119,7 +1124,7 @@ sub renewCertNSS
 sub renewCertOpenSSL
 {
    my ($csrfile, # output
-        $certfile,$keyfile,$days,$isca) = @_;
+        $certfile,$keyfile,$days) = @_;

    use integer;
    my $months = $days ? $days / 30 : 24;
@ -1335,22 +1340,29 @@ sub renewCert

    if ($nss) {
        # Renew cert in the nss database
-        renewCertNSS(
-            $csrfile,
-            $modNssDbDir,
-            $nssDBPrefix,
-            $nssNickname,
-            $days,
-            $tmpPasswordFile);
-    	
+        #
+        # Must wait until NSS 3.12.2 becomes available with the fix for
+        # https://bugzilla.redhat.com/show_bug.cgi?id=346731
+        # <<certutil -R for cert renewal should derive the subject 
+        #  from the cert if none is specified>>
+        #  
+        # renewCertNSS($csrfile, $modNssDbDir, $nssDBPrefix, $nssNickname, $days, $tmpPasswordFile);
+	    #
+        # Until then bail out.
+        #
+        Newt::newtWinMessage("Error", "Close", 
+                 "Certificate renewal with NSS database not yet supported:".
+                 "\n\nPress return to exit");
+        Newt::Finished();
+        exit 1; 
+          
    } else {	
        # Renew cert in a PEM file
        renewCertOpenSSL(
            $csrfile,
            $certfile, # contains cert to renew
            $keyfile,  # contains encrypted private key
-            $days, 
-            $isca);
+            $days);

    	## FIXME don't harcode password - keypwdfile and I
    	## though it was the p12 file pwd