diff --git a/install/share/csrgen/templates/openssl_base.tmpl b/install/share/csrgen/templates/openssl_base.tmpl index 2d6c0709d..22b16862e 100644 --- a/install/share/csrgen/templates/openssl_base.tmpl +++ b/install/share/csrgen/templates/openssl_base.tmpl @@ -3,15 +3,16 @@ {%- endraw %} #!/bin/bash -e -if [[ $# -ne 2 ]]; then -echo "Usage: $0 " +if [[ $# -lt 2 ]]; then +echo "Usage: $0 " echo "Called as: $0 $@" exit 1 fi CONFIG="$(mktemp)" CSR="$1" -shift +KEYFILE="$2" +shift; shift echo \ {% raw %}{% filter quote %}{% endraw -%} @@ -30,5 +31,5 @@ req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall {{ openssl.openssl_sections|join('\n\n') }} {% endfilter %}{%- endraw %} > "$CONFIG" -openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" rm "$CONFIG" diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py index 16244e121..348529ca0 100644 --- a/ipaclient/plugins/cert.py +++ b/ipaclient/plugins/cert.py @@ -51,6 +51,11 @@ class cert_request(MethodOverride): label=_('Path to private key file'), doc=_('Path to PEM file containing a private key'), ), + Str( + 'password_file?', + label=_( + 'File containing a password for the private key or database'), + ), Str( 'csr_profile_id?', label=_('Name of CSR generation profile (if not the same as' @@ -68,14 +73,19 @@ class cert_request(MethodOverride): database = options.pop('database', None) private_key = options.pop('private_key', None) csr_profile_id = options.pop('csr_profile_id', None) + password_file = options.pop('password_file', None) if csr is None: if database: helper = u'certutil' helper_args = ['-d', database] + if password_file: + helper_args += ['-f', password_file] elif private_key: helper = u'openssl' helper_args = [private_key] + if password_file: + helper_args += ['-passin', 'file:%s' % password_file] else: raise errors.InvocationError( message=u"One of 'database' or 'private_key' is required")