Added upgrade script for ACME server cert profile

The ACME server cert profile (acmeServerCert.cfg) has been moved into /usr/share/pki/ca/profiles/ca such that it will be included in new CA installations. An upgrade script has been added to deploy the profile into existing instances and update the CS.cfg when the server is restarted.
SilleBille · May 14, 2020 · fe5b3a3 · fe5b3a3
1 parent 5129d42
commit fe5b3a3
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 19 deletions.
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
@@ -955,7 +955,9 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
 oidmap.subject_info_access.class=org.mozilla.jss.netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caServerCertWithSCT,caECServerCertWithSCT,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=acmeServerCert,caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caServerCertWithSCT,caECServerCertWithSCT,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.acmeServerCert.class_id=caEnrollImpl
+profile.acmeServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/acmeServerCert.cfg
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl

diff --git a/base/ca/shared/profiles/acmeServerCert.cfg → .../ca/shared/profiles/ca/acmeServerCert.cfg b/base/ca/shared/profiles/acmeServerCert.cfg → .../ca/shared/profiles/ca/acmeServerCert.cfg
diff --git a/base/server/upgrade/10.9.0/02-AddACMEServerCertProfile.py b/base/server/upgrade/10.9.0/02-AddACMEServerCertProfile.py
@@ -0,0 +1,49 @@
+# Authors:
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# Copyright Red Hat, Inc.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+from __future__ import absolute_import
+import logging
+import os
+
+import pki
+
+logger = logging.getLogger(__name__)
+
+
+class AddACMEServerCertProfile(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+    def __init__(self):
+        super(AddACMEServerCertProfile, self).__init__()
+        self.message = 'Add acmeServerCert profile'
+
+    def upgrade_subsystem(self, instance, subsystem):
+
+        if subsystem.name != 'ca':
+            return
+
+        path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'acmeServerCert.cfg')
+
+        if not os.path.exists(path):
+            logger.info('Creating acmeServerCert.cfg')
+            self.backup(path)
+            instance.copyfile('/usr/share/pki/ca/profiles/ca/acmeServerCert.cfg', path)
+
+        logger.info('Adding acmeServerCert into profile.list')
+        profile_list = subsystem.config.get('profile.list').split(',')
+        if 'acmeServerCert' not in profile_list:
+            profile_list.append('acmeServerCert')
+            profile_list.sort()
+            subsystem.config['profile.list'] = ','.join(profile_list)
+
+        logger.info('Adding profile.acmeServerCert.class_id')
+        subsystem.config['profile.acmeServerCert.class_id'] = 'caEnrollImpl'
+
+        logger.info('Adding profile.acmeServerCert.config')
+        subsystem.config['profile.acmeServerCert.config'] = path
+
+        self.backup(subsystem.cs_conf)
+        subsystem.save()
diff --git a/docs/installation/Installing_ACME_Responder.md b/docs/installation/Installing_ACME_Responder.md
@@ -14,24 +14,6 @@ It assumes that the CA was [installed](Installing_CA.md) with the default instan
 * The API, configuration, or the database may change in the future.
 * There may be no easy upgrade path to the future version.
 
-## Installing ACME Profile
-
-The acmeServerCert.cfg is a sample profile for generating server certificates via ACME responder.
-
-This profile is currently not installed by default in the CA, so it needs to be added and enabled manually.
-
-To add the profile, execute the following command:
-
-```
-$ pki -u caadmin -w Secret.123 ca-profile-add /usr/share/pki/ca/profiles/acmeServerCert.cfg --raw
-```
-
-To enable the profile, execute the following command:
-
-```
-$ pki -u caadmin -w Secret.123 ca-profile-enable acmeServerCert
-```
-
 ## Installing ACME Responder
 
 To install the ACME responder on PKI server, execute the following command: