infra/samba-pki-tools
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
61d50ec61e51405a477cfcd6dfca026fb3e3faa7
samba-pki-tools/intermediate_module.py
T
Kevin Guerineau 61d50ec61e [IMP] Some improvements
2024-05-10 17:31:59 +02:00

116 lines
6.2 KiB
Python
Raw Blame History

#!/usr/bin/python3
#-------------------------------------------------------------------------------
# Name: Samba PKI Tools
# Purpose:
#
# Author: kguerineau-adm
#
# Created: 10/05/2024
# Copyright: (c) kguerineau-adm 2024
# Licence: <your licence>
#-------------------------------------------------------------------------------
# Maange Intermediate CA
from common import Printing, TisPKI, check_directories, config
import subprocess
import jinja2
import os
import configparser
import sys
from colorama import Fore, Style
import shutil
import time
def create_openssl_intermediate(name, force=False,verbose=False):
## if force:
## Printing.error("Do you realy want to remove ALL you PKI ? This will destroy ALL YOUR CERTIFICATES AND PRIVATE KEY")
## Printing.error("After that, you MUST REGENERATE YOUR PKI with NEW certificates and private key for ALL YOUR DOMAIN CONTROLLERS AND USERS")
## destroy = input('If you are realy sure, please enter : "I want to remove all my PKI" : ')
## if destroy == 'I want to remove all my PKI':
## Printing.information('OK, too late ! Destroying your PKI !')
## time.sleep(1)
## shutil.rmtree(TisPKI.pki_dir(), ignore_errors=True)
Printing.information(f'Create intermediate CA {name}')
check_directories(path=TisPKI.pki_intermediate_dir(name),verbose=verbose)
intermediate_ca_config = os.path.join(TisPKI.intermediate_config_path(name),'create_intermediate_ca.ini')
intermediate_crl_file = os.path.join(TisPKI.intermediate_crl_path(name),f'{name}_intermediate_ca.crl')
root_ca_sign_intermediate = os.path.join(TisPKI.root_config_path(),'openssl_root_ca_sign_intermediate.ini')
if not os.path.isfile(root_ca_sign_intermediate):
if TisPKI.intermediate_ca:
template_dir = os.path.join('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl')
root_ca_tmpl_var = {
'organization_ou': config.get('openssl_config','organization_name') + ' CA',
'pki_dir': TisPKI.pki_dir(),
'root_ca_keyfile': TisPKI.root_ca_keyfile(),
'root_ca_certfile': TisPKI.root_ca_certfile(),
'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri'),
'default_crl_duration' : config.get('openssl_config','default_crl_duration'),
}
config_string = root_ca_tmpl.render(root_ca_tmpl_var)
with open(root_ca_sign_intermediate,'wt') as file:
file.write(config_string)
if os.path.isfile(root_ca_sign_intermediate):
Printing.success('Root CA OpenSSL sign intermediate config file is correctly generated !')
if not os.path.isfile(intermediate_ca_config):
Printing.information('Intermediate CA OpenSSL configfile not exist. Creating...')
template_dir = os.path.join('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
intermediate_ca_tmpl = jinja_env.get_template('openssl_create_intermediate_ca.tmpl')
intermediate_ca_tmpl_var = {
'country': config.get('openssl_config','country'),
'state': config.get('openssl_config','state'),
'city': config.get('openssl_config','city'),
'organization_name': config.get('openssl_config','organization_name'),
'organization_ou': config.get('openssl_config','organization_ou'),
'intermediate_organization_cn': name,
'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri')
}
config_string = intermediate_ca_tmpl.render(intermediate_ca_tmpl_var)
with open(intermediate_ca_config,'wt') as file:
file.write(config_string)
if os.path.isfile(intermediate_ca_config):
Printing.success('Intermediate CA OpenSSL configfile is correctly generated !')
else:
Printing.information('Intermediate CA OpenSSL config already exist. Skip.')
if not os.path.isfile(TisPKI.intermediate_ca_keyfile(name)) and not os.path.isfile(TisPKI.intermediate_ca_certfile(name)):
Printing.information('Generate Intermediate CA private key and CSR')
gen_intermediate_ca = subprocess.run(f"/usr/bin/openssl req -config {intermediate_ca_config} -new -sha512 -keyout {TisPKI.intermediate_ca_keyfile(name)} \
-out {TisPKI.intermediate_csr_path(name)}/{name.replace(' ','_')}_intermediate_ca.csr", shell=True, check=False, executable='/bin/bash')
if gen_intermediate_ca.returncode == 0:
Printing.information('Sign Intermediate CA with Root CA')
sign_intermediate_ca = subprocess.run(f"/usr/bin/openssl ca -config {os.path.join(TisPKI.root_config_path(),'openssl_root_ca_sign_intermediate.ini')} \
-extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in {TisPKI.intermediate_csr_path(name)}/{name.replace(' ','_')}_intermediate_ca.csr \
-out {TisPKI.intermediate_ca_certfile(name)}", shell=True, check=False, executable='/bin/bash')
if sign_intermediate_ca.returncode == 0:
if verbose:
subprocess.run(f'openssl x509 -in {TisPKI.intermediate_ca_certfile(name)} -text', shell=True, check=True, executable='/bin/bash')
Printing.success(f'Intermediate CA Certfile is stored in : {TisPKI.intermediate_ca_certfile(name)}')
else:
Printing.error('Error on generating Intermediate CA private key')
retry = input('If you want to retry, press Y : ')
if retry == "y" or retry == 'Y':
os.remove(TisPKI.intermediate_ca_keyfile(name))
create_openssl_intermediate(name, force, verbose)
else:
Printing.error('Error on generating Intermediate CA private key')
retry = input('If you want to retry, press Y : ')
if retry == "y" or retry == 'Y':
os.remove(TisPKI.intermediate_ca_keyfile(name))
create_openssl_intermediate(name, force, verbose)
else:
Printing.warning('Intermediate CA private key and certificate already exist. Skip.')
Reference in New Issue View Git Blame Copy Permalink