infra/samba-pki-tools
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
9c58afe0f7d1b952dc1177664a5009fa15b837e4
samba-pki-tools/user_module.py
T
Kevin Guerineau 61d50ec61e [IMP] Some improvements
2024-05-10 17:31:59 +02:00

96 lines
4.3 KiB
Python
Raw Blame History

#!/usr/bin/python3
#-------------------------------------------------------------------------------
# Name: Samba PKI Tools
# Purpose:
#
# Author: kguerineau-adm
#
# Created: 10/05/2024
# Copyright: (c) kguerineau-adm 2024
# Licence: <your licence>
#-------------------------------------------------------------------------------
# Manage Users Certificates
from common import Printing, TisPKI, check_directories, config
import subprocess
import jinja2
import os
import configparser
import sys
from colorama import Fore, Style
import shutil
import time
def generate_user_certificate():
default_bits_user = config.get('openssl_config','default_bits_user')
username = input('Enter username')
upn_suffix = config.get('samba_ad','upn_suffix')
upn = f'{username}@{upn_suffix}'
if TisPKI.intermediate_ca:
crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl')
dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key')
dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt')
crl_uri = config.get('openssl_config','intermediate_crl_uri')
pki_dir = TisPKI.pki_intermediate_dir()
openssl_user_file = os.path.join(TisPKI.intermediate_config_path(),'openssl_user.ini')
emailAddress = upn
commonName = username
else:
crl_file = os.path.join(TisPKI.root_crl_path(),'root_ca.crl')
dc_ca_keyfile = os.path.join(TisPKI.root_keyout_path(),'root_ca.key')
dc_ca_certfile = os.path.join(TisPKI.root_cert_path(),'root_ca.crt')
crl_uri = config.get('openssl_config','crl_uri')
pki_dir = TisPKI.pki_dir()
openssl_user_file = os.path.join(TisPKI.root_config_path(),'openssl_user.ini')
emailAddress = upn
commonName = username
template_dir = ('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
user_tmpl = jinja_env.get_template('openssl_user_cert.tmpl')
user_tmpl_var = {
'crl_uri': crl_uri,
'pki_dir': pki_dir,
'default_cert_duration': config.get('openssl_config','default_cert_duration'),
'country': config.get('openssl_config','country'),
'state': config.get('openssl_config','state'),
'city': config.get('openssl_config','city'),
'organization_name': config.get('openssl_config','organization_name'),
'organization_ou': config.get('openssl_config','organization_ou'),
'dc_ca_keyfile': dc_ca_keyfile,
'dc_ca_certfile': dc_ca_certfile,
'default_bits_user': config.get('openssl_config','default_bits_user'),
'emailAddress' : emailAddress,
'commonName' : commonName
}
config_string = user_tmpl.render(user_tmpl_var)
with open(openssl_user_file,'wt') as file:
file.write(config_string)
if os.path.isfile(openssl_user_file):
print(f'User OpenSSL configfile is correctly generated !')
print(f'Generate private key for {upn}')
print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.root_keyout_path()}/{username}.key -out {TisPKI.root_csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash'))
print(f'Sign certificate')
print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.root_csr_path()}/{username}.csr -out {TisPKI.root_cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash'))
print('Remove password in rsa key')
print(subprocess.run(f'openssl rsa -in {TisPKI.root_keyout_path()}/{username}.key -out {TisPKI.root_keyout_path()}/{username}-nopasswd.key',shell=True,check=True, executable='/bin/bash'))
print('Create p12')
print(subprocess.run(f'openssl pkcs12 -export -inkey {TisPKI.root_keyout_path()}/{username}-nopasswd.key -in {TisPKI.root_cert_path()}/{username}.crt -out {TisPKI.root_p12_path()}/{username}.p12', shell=True,check=True, executable='/bin/bash'))
Reference in New Issue View Git Blame Copy Permalink