projects / certmaster.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
github-1: support for hashing functions other than sha1
[certmaster.git] / scripts / certmaster-ca
1 #!/usr/bin/python -tt
2 # sign/list keys
3 # --ca ca sign/list certs for the 'ca'
4 # --sign hostname hostname hostname
5 # --list # lists all csrs needing to be signed
6 # --list-all ca list all certs for a given ca
7 # --clean? not sure what it will do
8
9 import sys
10 import glob
11 import optparse
12 import os
13
14 import certmaster
15 import certmaster.certs
16 import certmaster.certmaster
17
18 def errorprint(stuff):
19 print >> sys.stderr, stuff
20
21 class CertmasterCAOptionParser(optparse.OptionParser):
22 def get_version(self):
23 return file("/etc/certmaster/version").read().strip()
24
25 def parseargs(args):
26 usage = 'certmaster-ca <option> [args]'
27 parser = CertmasterCAOptionParser(usage=usage,version=True)
28
29 parser.add_option("", '--ca', default='', action="store", dest="ca", metavar="CA",
30 help="certificate authority used to sign/list certs")
31 parser.add_option('-l', '--list', default=False, action="store_true",
32 help='list signing requests remaining')
33 parser.add_option('-s', '--sign', default=False, action="store_true",
34 help='sign requests of hosts specified')
35 parser.add_option('-c', '--clean', default=False, action="store_true",
36 help="clean out all certs or csrs for the hosts specified")
37 parser.add_option("", "--list-signed", default=False, action="store_true",
38 help='list all signed certs')
39 parser.add_option("", "--list-cert-hash", default=False, action="store_true",
40 help="list the cert hash for signed certs")
41
42 (opts, args) = parser.parse_args()
43
44
45 # gotta be a better way...
46 if not opts.list and not opts.sign and not opts.clean \
47 and not opts.list_signed and not opts.list_cert_hash:
48 parser.print_help()
49 sys.exit(1)
50
51 return (opts, args)
52
53 def main(args):
54 if os.geteuid() != 0:
55 errorprint('Must be root to run certmaster-ca')
56 return 1
57
58 cm = certmaster.certmaster.CertMaster()
59
60 (opts, args) = parseargs(args)
61
62 ## Check that the ca option matches a configured ca
63 try:
64 certauth = cm.cfg.ca[opts.ca]
65 except:
66 errorprint("Unknown ca %s: check /etc/certmaster.cfg" % opts.ca)
67 return 1
68
69 if opts.list:
70 hns = cm.get_csrs_waiting(certauth)
71 if hns:
72 for hn in sorted(hns):
73 print hn
74 else:
75 print 'No certificates to sign'
76
77 return 0
78
79 if opts.sign:
80 if not args:
81 errorprint('Need hostnames to sign')
82 return 1
83
84 for hn in args:
85 csrglob = '%s/%s.csr' % (certauth.csrroot, hn)
86 csrs = glob.glob(csrglob)
87 if not csrs:
88 errorprint('No match for %s to sign' % hn)
89 return 1
90
91 for fn in csrs:
92 certfile = cm.sign_this_csr(fn, certauth)
93 print '%s signed - cert located at %s' % (fn, certfile)
94 return 0
95
96 if opts.clean:
97 if not args:
98 errorprint('Need hostname(s) to clean up')
99 return 1
100
101 for hn in args:
102 cm.remove_this_cert(hn, certauth)
103
104 return 0
105
106 if opts.list_signed:
107 hostglobs = ["*"]
108 if args:
109 hostglobs = args
110
111 signed_certs = cm.get_signed_certs(certauth, args)
112
113 for i in sorted(signed_certs):
114 print i
115
116 return 0
117
118 if opts.list_cert_hash:
119 hostglobs = ["*"]
120 if args:
121 hostglobs = args
122
123 cert_hashes = cm.get_cert_hashes(certauth, hostglobs)
124
125 for i in sorted(cert_hashes):
126 print i
127
128 return 0
129
130 if __name__ == "__main__":
131 sys.exit(main(sys.argv[1:]))
Fedora's certmaster (https://fedorahosted.org/certmaster/) with multiple CA support