#!/usr/bin/python3 #------------------------------------------------------------------------------- # Name: Samba PKI Tools # Purpose: # # Author: kguerineau-adm # # Created: 10/05/2024 # Copyright: (c) kguerineau-adm 2024 # Licence: #------------------------------------------------------------------------------- # Manage Users Certificates from common import Printing, TisPKI, check_directories, config import subprocess import jinja2 import os import configparser import sys from colorama import Fore, Style import shutil import time def generate_user_certificate(): default_bits_user = config.get('openssl_config','default_bits_user') username = input('Enter username') upn_suffix = config.get('samba_ad','upn_suffix') upn = f'{username}@{upn_suffix}' if TisPKI.intermediate_ca: crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl') dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key') dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt') crl_uri = config.get('openssl_config','intermediate_crl_uri') pki_dir = TisPKI.pki_intermediate_dir() openssl_user_file = os.path.join(TisPKI.intermediate_config_path(),'openssl_user.ini') emailAddress = upn commonName = username else: crl_file = os.path.join(TisPKI.root_crl_path(),'root_ca.crl') dc_ca_keyfile = os.path.join(TisPKI.root_keyout_path(),'root_ca.key') dc_ca_certfile = os.path.join(TisPKI.root_cert_path(),'root_ca.crt') crl_uri = config.get('openssl_config','crl_uri') pki_dir = TisPKI.pki_dir() openssl_user_file = os.path.join(TisPKI.root_config_path(),'openssl_user.ini') emailAddress = upn commonName = username template_dir = ('templates') jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir)) user_tmpl = jinja_env.get_template('openssl_user_cert.tmpl') user_tmpl_var = { 'crl_uri': crl_uri, 'pki_dir': pki_dir, 'default_cert_duration': config.get('openssl_config','default_cert_duration'), 'country': config.get('openssl_config','country'), 'state': config.get('openssl_config','state'), 'city': config.get('openssl_config','city'), 'organization_name': config.get('openssl_config','organization_name'), 'organization_ou': config.get('openssl_config','organization_ou'), 'dc_ca_keyfile': dc_ca_keyfile, 'dc_ca_certfile': dc_ca_certfile, 'default_bits_user': config.get('openssl_config','default_bits_user'), 'emailAddress' : emailAddress, 'commonName' : commonName } config_string = user_tmpl.render(user_tmpl_var) with open(openssl_user_file,'wt') as file: file.write(config_string) if os.path.isfile(openssl_user_file): print(f'User OpenSSL configfile is correctly generated !') print(f'Generate private key for {upn}') print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.root_keyout_path()}/{username}.key -out {TisPKI.root_csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash')) print(f'Sign certificate') print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.root_csr_path()}/{username}.csr -out {TisPKI.root_cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash')) print('Remove password in rsa key') print(subprocess.run(f'openssl rsa -in {TisPKI.root_keyout_path()}/{username}.key -out {TisPKI.root_keyout_path()}/{username}-nopasswd.key',shell=True,check=True, executable='/bin/bash')) print('Create p12') print(subprocess.run(f'openssl pkcs12 -export -inkey {TisPKI.root_keyout_path()}/{username}-nopasswd.key -in {TisPKI.root_cert_path()}/{username}.crt -out {TisPKI.root_p12_path()}/{username}.p12', shell=True,check=True, executable='/bin/bash'))