#!/usr/bin/python -tt
# sign/list keys
+# --ca ca sign/list certs for the 'ca'
# --sign hostname hostname hostname
# --list # lists all csrs needing to be signed
-# --list-all ?
+# --list-all ca list all certs for a given ca
# --clean? not sure what it will do
import sys
import glob
+import optparse
import os
import certmaster
import certmaster.certs
import certmaster.certmaster
-
-
-from optparse import OptionParser
-
def errorprint(stuff):
print >> sys.stderr, stuff
+class CertmasterCAOptionParser(optparse.OptionParser):
+ def get_version(self):
+ return file("/etc/certmaster/version").read().strip()
def parseargs(args):
usage = 'certmaster-ca <option> [args]'
- parser = OptionParser(usage=usage)
-
+ parser = CertmasterCAOptionParser(usage=usage,version=True)
+
+ parser.add_option("", '--ca', default='', action="store", dest="ca", metavar="CA",
+ help="certificate authority used to sign/list certs")
parser.add_option('-l', '--list', default=False, action="store_true",
help='list signing requests remaining')
parser.add_option('-s', '--sign', default=False, action="store_true",
help='sign requests of hosts specified')
parser.add_option('-c', '--clean', default=False, action="store_true",
help="clean out all certs or csrs for the hosts specified")
+ parser.add_option("", "--list-signed", default=False, action="store_true",
+ help='list all signed certs')
+ parser.add_option("", "--list-cert-hash", default=False, action="store_true",
+ help="list the cert hash for signed certs")
(opts, args) = parser.parse_args()
- if not opts.list and not opts.sign and not opts.clean:
+ # gotta be a better way...
+ if not opts.list and not opts.sign and not opts.clean \
+ and not opts.list_signed and not opts.list_cert_hash:
parser.print_help()
sys.exit(1)
(opts, args) = parseargs(args)
+ ## Check that the ca option matches a configured ca
+ try:
+ certauth = cm.cfg.ca[opts.ca]
+ except:
+ errorprint("Unknown ca %s: check /etc/certmaster.cfg" % opts.ca)
+ return 1
if opts.list:
- hns = cm.get_csrs_waiting()
+ hns = cm.get_csrs_waiting(certauth)
if hns:
- for hn in cm.get_csrs_waiting():
+ for hn in sorted(hns):
print hn
else:
print 'No certificates to sign'
return 1
for hn in args:
- csrglob = '%s/%s.csr' % (cm.cfg.csrroot, hn)
+ csrglob = '%s/%s.csr' % (certauth.csrroot, hn)
csrs = glob.glob(csrglob)
if not csrs:
errorprint('No match for %s to sign' % hn)
return 1
for fn in csrs:
- certfile = cm.sign_this_csr(fn)
+ certfile = cm.sign_this_csr(fn, certauth)
print '%s signed - cert located at %s' % (fn, certfile)
return 0
return 1
for hn in args:
- cm.remove_this_cert(hn)
+ cm.remove_this_cert(hn, certauth)
+
+ return 0
+
+ if opts.list_signed:
+ hostglobs = ["*"]
+ if args:
+ hostglobs = args
+
+ signed_certs = cm.get_signed_certs(certauth, args)
+
+ for i in sorted(signed_certs):
+ print i
+
+ return 0
+ if opts.list_cert_hash:
+ hostglobs = ["*"]
+ if args:
+ hostglobs = args
+
+ cert_hashes = cm.get_cert_hashes(certauth, hostglobs)
+
+ for i in sorted(cert_hashes):
+ print i
+
return 0
if __name__ == "__main__":