diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-10-06 20:13:56 +0200 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-10-07 15:10:09 +0000 |
| commit | 195a1feec400e7159290479c23c0176774a9eccf (patch) | |
| tree | 9800f96c1ebaceea400e55a147e256110d496669 /src/op_mode | |
| parent | 3e7cc03b4608196a0989e6af6ad65748b69f0672 (diff) | |
| download | vyos-1x-195a1feec400e7159290479c23c0176774a9eccf.tar.gz vyos-1x-195a1feec400e7159290479c23c0176774a9eccf.zip | |
pki: T6481: auto import ACME certificate chain into CLImergify/bp/circinus/pr-4118
When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate <name> acme" CLI node of a certificate but CA chains reside
under "pki ca".
This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.
ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.
(cherry picked from commit 875764b07f937fc599e2e62c667e7b811ddc2ed3)
Diffstat (limited to 'src/op_mode')
| -rwxr-xr-x | src/op_mode/pki.py | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 615a458c9..1b0f61c22 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -26,13 +26,22 @@ from cryptography.x509.oid import ExtendedKeyUsageOID from vyos.config import Config from vyos.config import config_dict_mangle_acme -from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters +from vyos.pki import encode_certificate +from vyos.pki import encode_public_key +from vyos.pki import encode_private_key +from vyos.pki import encode_dh_parameters from vyos.pki import get_certificate_fingerprint -from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list +from vyos.pki import create_certificate +from vyos.pki import create_certificate_request +from vyos.pki import create_certificate_revocation_list from vyos.pki import create_private_key from vyos.pki import create_dh_parameters -from vyos.pki import load_certificate, load_certificate_request, load_private_key -from vyos.pki import load_crl, load_dh_parameters, load_public_key +from vyos.pki import load_certificate +from vyos.pki import load_certificate_request +from vyos.pki import load_private_key +from vyos.pki import load_crl +from vyos.pki import load_dh_parameters +from vyos.pki import load_public_key from vyos.pki import verify_certificate from vyos.utils.io import ask_input from vyos.utils.io import ask_yes_no |