saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add the ability to replace existing certificates

Browse source
This commit is contained in:
Joe Julian 2015-05-07 13:25:08 -07:00
parent 587957badc
commit 4a4cbdd266
1 changed files with 40 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
salt/modules/tls.py
View file

@ -276,7 +276,7 @@ def get_ca(ca_name, as_text=False, cacert_path=None):
ca_name,
ca_name)
if not os.path.exists(certp):
raise ValueError('Certificate does not exists for {0}'.format(ca_name))
raise ValueError('Certificate does not exist for {0}'.format(ca_name))
else:
if as_text:
with salt.utils.fopen(certp) as fic:
@ -296,7 +296,8 @@ def create_ca(ca_name,
emailAddress='xyz@pdq.net',
fixmode=False,
cacert_path=None,
digest='sha256'):
digest='sha256',
replace=False):
'''
Create a Certificate Authority (CA)
@ -326,6 +327,10 @@ def create_ca(ca_name,
The message digest algorithm. Must be a string describing a digest
algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
For example, "md5" or "sha1". Default: 'sha256'
replace
Replace this certificate even if it exists
.. versionadded:: 2015.5.1
Writes out a CA certificate based upon defined config values. If the file
already exists, the function just returns assuming the CA certificate
@ -356,7 +361,7 @@ def create_ca(ca_name,
cert_base_path(), ca_name, ca_name)
ca_keyp = '{0}/{1}/{2}_ca_cert.key'.format(
cert_base_path(), ca_name, ca_name)
if (not fixmode) and ca_exists(ca_name):
if not replace and not fixmode and ca_exists(ca_name):
return (
'Certificate for CA named "{0}" '
'already exists').format(ca_name)
@ -459,7 +464,8 @@ def create_csr(ca_name,
emailAddress='xyz@pdq.net',
subjectAltName=None,
cacert_path=None,
digest='sha256'):
digest='sha256',
replace=False):
'''
Create a Certificate Signing Request (CSR) for a
particular Certificate Authority (CA)
@ -491,6 +497,10 @@ def create_csr(ca_name,
The message digest algorithm. Must be a string describing a digest
algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
For example, "md5" or "sha1". Default: 'sha256'
replace
Replace this signing request even if it exists
.. versionadded:: 2015.5.1
Writes out a Certificate Signing Request (CSR) If the file already
exists, the function just returns assuming the CSR already exists.
@ -532,7 +542,7 @@ def create_csr(ca_name,
csr_f = '{0}/{1}/certs/{2}.csr'.format(cert_base_path(),
ca_name, CN)
if os.path.exists(csr_f):
if not replace and os.path.exists(csr_f):
return 'Certificate Request "{0}" already exists'.format(csr_f)
key = OpenSSL.crypto.PKey()
@ -598,7 +608,8 @@ def create_self_signed_cert(tls_dir='tls',
OU=None,
emailAddress='xyz@pdq.net',
cacert_path=None,
digest='sha256'):
digest='sha256',
replace=False):
'''
Create a Self-Signed Certificate (CERT)
@ -628,6 +639,10 @@ def create_self_signed_cert(tls_dir='tls',
The message digest algorithm. Must be a string describing a digest
algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
For example, "md5" or "sha1". Default: 'sha256'
replace
Replace this certificate even if it exists
.. versionadded:: 2015.5.1
Writes out a Self-Signed Certificate (CERT). If the file already
exists, the function just returns.
@ -661,7 +676,7 @@ def create_self_signed_cert(tls_dir='tls',
os.makedirs("{0}/{1}/certs/".format(cert_base_path(),
tls_dir))
if os.path.exists(
if not replace and os.path.exists(
'{0}/{1}/certs/{2}.crt'.format(cert_base_path(),
tls_dir, CN)
):
@ -728,7 +743,13 @@ def create_self_signed_cert(tls_dir='tls',
return ret
def create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, digest='sha256', **extensions):
def create_ca_signed_cert(ca_name,
CN,
days=365,
cacert_path=None,
digest='sha256',
replace=False,
**extensions):
'''
Create a Certificate (CERT) signed by a named Certificate Authority (CA)
@ -741,20 +762,20 @@ def create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, digest='sha25
ca_name
name of the CA
CN
common name matching the certificate signing request
days
number of days certificate is valid, Default is ``365`` (1 year)
cacert_path
absolute path to ca certificates root directory
digest
The message digest algorithm. Must be a string describing a digest
algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
For example, "md5" or "sha1". Default: 'sha256'
replace
Replace this certificate even if it exists
.. versionadded:: 2015.5.1
**extensions
X509 V3 certificate extension
@ -790,7 +811,7 @@ def create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, digest='sha25
crt_f = '{0}/{1}/certs/{2}.crt'.format(cert_base_path(),
ca_name, CN)
if os.path.exists(crt_f):
if not replace and os.path.exists(crt_f):
return 'Certificate "{0}" already exists'.format(CN)
try:
@ -882,7 +903,7 @@ def create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, digest='sha25
)
def create_pkcs12(ca_name, CN, passphrase='', cacert_path=None):
def create_pkcs12(ca_name, CN, passphrase='', cacert_path=None, replace=False):
'''
Create a PKCS#12 browser certificate for a particular Certificate (CN)
@ -894,6 +915,10 @@ def create_pkcs12(ca_name, CN, passphrase='', cacert_path=None):
used to unlock the PKCS#12 certificate when loaded into the browser
cacert_path
absolute path to ca certificates root directory
replace
Replace this certificate even if it exists
.. versionadded:: 2015.5.1
If the following values were set:
@ -917,7 +942,7 @@ def create_pkcs12(ca_name, CN, passphrase='', cacert_path=None):
salt '*' tls.create_pkcs12 test localhost
'''
set_ca_path(cacert_path)
if os.path.exists(
if not replace and os.path.exists(
'{0}/{1}/certs/{2}.p12'.format(
cert_base_path(),
ca_name,