diff options
| author | Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> | 2022-02-14 16:43:09 +0100 |
|---|---|---|
| committer | Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> | 2022-02-14 16:45:16 +0100 |
| commit | 2132d4f7dea1e7355702ca096ff88628c4174bca (patch) | |
| tree | df848b87dff340a08cd53d3ee81a10270f2aa8cf | |
| parent | fd577d6005b037e886c17bf1bbc396090791315a (diff) | |
| download | bcfg2-2132d4f7dea1e7355702ca096ff88628c4174bca.tar.gz bcfg2-2132d4f7dea1e7355702ca096ff88628c4174bca.tar.bz2 bcfg2-2132d4f7dea1e7355702ca096ff88628c4174bca.zip | |
SSLCA: Allow to create self signed certificates
| -rw-r--r-- | schemas/sslca-cert.xsd | 8 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py | 26 |
2 files changed, 24 insertions, 10 deletions
diff --git a/schemas/sslca-cert.xsd b/schemas/sslca-cert.xsd index 7330ca0ff..4dad1ca1f 100644 --- a/schemas/sslca-cert.xsd +++ b/schemas/sslca-cert.xsd @@ -98,6 +98,14 @@ </xsd:documentation> </xsd:annotation> </xsd:attribute> + <xsd:attribute type="xsd:boolean" name="self_sign" default="false"> + <xsd:annotation> + <xsd:documentation> + Create a self signed certificate. If you set this to ``true``, + you do not need a ca setting. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> <xsd:attribute type="xsd:integer" name="days" default="365"> <xsd:annotation> <xsd:documentation> diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py index 09a09787e..698203a87 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py @@ -130,15 +130,20 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier): """ generate a new cert """ self.logger.info("Cfg: Generating new SSL cert for %s" % self.name) cert = self.XMLMatch(metadata).find("Cert") - ca = self.get_ca(cert.get('ca', 'default')) - req = self.build_request(self._get_keyfile(cert, metadata), metadata) + keyfile = self._get_keyfile(cert, metadata) + req = self.build_request(keyfile, metadata) try: days = cert.get('days', '365') - cmd = ["openssl", "ca", "-config", ca['config'], "-in", req, - "-days", days, "-batch"] - passphrase = ca.get('passphrase') - if passphrase: - cmd.extend(["-passin", "pass:%s" % passphrase]) + if cert.get('self_sign', 'false') != 'true': + ca = self.get_ca(cert.get('ca', 'default')) + cmd = ["openssl", "ca", "-config", ca['config'], + "-in", req, "-days", days, "-batch"] + passphrase = ca.get('passphrase') + if passphrase: + cmd.extend(["-passin", "pass:%s" % passphrase]) + else: + cmd = ["openssl", "req", "-in", req, "-x509", + "-days", days, "-key", keyfile, "-batch"] result = self.cmd.run(cmd) if not result.success: raise CfgCreationError("Failed to generate cert: %s" % @@ -165,10 +170,11 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier): "verification" % (entry.get("name"), fname)) os.fdopen(fd, 'w').write(data) cert = self.XMLMatch(metadata).find("Cert") - ca = self.get_ca(cert.get('ca', 'default')) try: - if ca.get('chaincert'): - self.verify_cert_against_ca(fname, entry, metadata) + if cert.get('self_sign', 'false') != 'true': + ca = self.get_ca(cert.get('ca', 'default')) + if ca.get('chaincert'): + self.verify_cert_against_ca(fname, entry, metadata) self.verify_cert_against_key(fname, self._get_keyfile(cert, metadata)) finally: |