Allow choosing CA-less server certificates by name

Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.

https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

install/tools/ipa-server-install

@@ -248,6 +248,15 @@ def parse_options():
                       help="The password to unlock the Kerberos KDC private key")
     cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
                       help=SUPPRESS_HELP)
+    cert_group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
+                      metavar="NAME",
+                      help="Name of the Directory Server SSL certificate to install")
+    cert_group.add_option("--http-cert-name", dest="http_cert_name",
+                      metavar="NAME",
+                      help="Name of the Apache Server SSL certificate to install")
+    cert_group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
+                      metavar="NAME",
+                      help="Name of the Kerberos KDC SSL certificate to install")
     cert_group.add_option("--ca-cert-file", dest="ca_cert_files",
                       action="append", metavar="FILE",
                       help="File containing CA certificates for the service certificate files")
@@ -943,7 +952,7 @@ def main():
         http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
             cert_files=options.http_cert_files,
             key_password=options.http_pin,
-            key_nickname=None,
+            key_nickname=options.http_cert_name,
             ca_cert_files=options.ca_cert_files,
             host_name=host_name)
         http_pkcs12_info = (http_pkcs12_file.name, http_pin)
@@ -959,7 +968,7 @@ def main():
         dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
             cert_files=options.dirsrv_cert_files,
             key_password=options.dirsrv_pin,
-            key_nickname=None,
+            key_nickname=options.dirsrv_cert_name,
             ca_cert_files=options.ca_cert_files,
             host_name=host_name)
         dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
@@ -975,7 +984,7 @@ def main():
         pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
             cert_files=options.pkinit_cert_files,
             key_password=options.pkinit_pin,
-            key_nickname=None,
+            key_nickname=options.pkinit_cert_name,
             ca_cert_files=options.ca_cert_files,
             host_name=host_name)
         pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)

install/tools/man/ipa-replica-prepare.1

@@ -53,6 +53,15 @@ The password to unlock the Apache Server private key
 \fB\-\-pkinit\-pin\fR=\fIPIN\fR
 The password to unlock the Kerberos KDC private key
 .TP
+\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
+Name of the Directory Server SSL certificate to install
+.TP
+\fB\-\-http\-cert\-name\fR=\fINAME\fR
+Name of the Apache Server SSL certificate to install
+.TP
+\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
+Name of the Kerberos KDC SSL certificate to install
+.TP
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
 .TP

install/tools/man/ipa-server-certinstall.1

@@ -40,6 +40,9 @@ Install the certificate in the Apache Web Server
 \fB\-\-pin\fR=\fIPIN\fR
 The password to unlock the private key
 .TP
+\fB\-\-cert\-name\fR=\fINAME\fR
+Name of the certificate to install
+.TP
 \fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
 Directory Manager password
 .SH "EXIT STATUS"

install/tools/man/ipa-server-install.1

@@ -111,6 +111,15 @@ The password to unlock the Apache Server private key
 \fB\-\-pkinit\-pin\fR=\fIPIN\fR
 The password to unlock the Kerberos KDC private key
 .TP
+\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
+Name of the Directory Server SSL certificate to install
+.TP
+\fB\-\-http\-cert\-name\fR=\fINAME\fR
+Name of the Apache Server SSL certificate to install
+.TP
+\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
+Name of the Kerberos KDC SSL certificate to install
+.TP
 \fB\-\-ca\-cert\-file\fR=\fIFILE\fR
 File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
 .TP

ipaserver/install/ipa_replica_prepare.py

@@ -108,6 +108,15 @@ class ReplicaPrepare(admintool.AdminTool):
             help="The password to unlock the Kerberos KDC private key")
         group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
             help=SUPPRESS_HELP)
+        group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
+            metavar="NAME",
+            help="Name of the Directory Server SSL certificate to install")
+        group.add_option("--http-cert-name", dest="http_cert_name",
+            metavar="NAME",
+            help="Name of the Apache Server SSL certificate to install")
+        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
+            metavar="NAME",
+            help="Name of the Kerberos KDC SSL certificate to install")
         parser.add_option_group(group)
 
     def validate_options(self):
@@ -262,7 +271,8 @@ class ReplicaPrepare(admintool.AdminTool):
                     raise admintool.ScriptError(
                         "Apache Server private key unlock password required")
             http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12(
-                options.http_cert_files, options.http_pin, None)
+                options.http_cert_files, options.http_pin,
+                options.http_cert_name)
             self.http_pkcs12_file = http_pkcs12_file
             self.http_pin = http_pin
 
@@ -275,7 +285,8 @@ class ReplicaPrepare(admintool.AdminTool):
                     raise admintool.ScriptError(
                         "Directory Server private key unlock password required")
             dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12(
-                options.dirsrv_cert_files, options.dirsrv_pin, None)
+                options.dirsrv_cert_files, options.dirsrv_pin,
+                options.dirsrv_cert_name)
             self.dirsrv_pkcs12_file = dirsrv_pkcs12_file
             self.dirsrv_pin = dirsrv_pin
 
@@ -288,7 +299,8 @@ class ReplicaPrepare(admintool.AdminTool):
                     raise admintool.ScriptError(
                         "Kerberos KDC private key unlock password required")
             pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12(
-                options.pkinit_cert_files, options.pkinit_pin, None)
+                options.pkinit_cert_files, options.pkinit_pin,
+                options.pkinit_cert_name)
             self.pkinit_pkcs12_file = pkinit_pkcs12_file
             self.pkinit_pin = pkinit_pin
 

ipaserver/install/ipa_server_certinstall.py

@@ -60,6 +60,10 @@ class ServerCertInstall(admintool.AdminTool):
             "--dirsrv_pin", "--http_pin",
             dest="pin",
             help=optparse.SUPPRESS_HELP)
+        parser.add_option(
+            "--cert-name",
+            dest="cert_name", metavar="NAME",
+            help="Name of the certificate to install")
         parser.add_option(
             "-p", "--dirman-password",
             dest="dirman_password",
@@ -155,7 +159,7 @@ class ServerCertInstall(admintool.AdminTool):
         pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
             cert_files=self.args,
             key_password=pkcs12_passwd,
-            key_nickname=None,
+            key_nickname=self.options.cert_name,
             ca_cert_files=[CACERT],
             host_name=api.env.host)