summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorIndrajit Raychaudhuri <irc@indrajit.com>2026-05-15 18:26:54 -0500
committerIndrajit Raychaudhuri <irc@indrajit.com>2026-05-18 23:33:51 -0500
commit88a50d1700cac0b38595b206f804a59592bdb3d2 (patch)
tree96d45a46bd5e4e5b40b72159c0cda20856c68744 /src
parent08542c03c0d1ab2c114966f6fbd4c2b7c3a45b4a (diff)
downloadvyos-1x-88a50d1700cac0b38595b206f804a59592bdb3d2.tar.gz
vyos-1x-88a50d1700cac0b38595b206f804a59592bdb3d2.zip
pki: T8877: Add ability to show private key in pem format
Add op-mode command having ability to show private key in pem format as part of PKI configuration. This is needed for users who want to render the certificate and its private key.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/op_mode/pki.py24
1 files changed, 22 insertions, 2 deletions
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index b84b6f02a..bf8bba657 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -1252,6 +1252,7 @@ def show_certificate_authority(
def show_certificate(
raw: bool,
name: typing.Optional[str] = None,
+ private: typing.Optional[bool] = False,
pem: typing.Optional[bool] = False,
fingerprint: typing.Optional[ArgsFingerprint] = None,
):
@@ -1282,12 +1283,31 @@ def show_certificate(
if not cert:
continue
- if name and pem:
+ if name and pem and not (private or fingerprint):
print(encode_certificate(cert))
return
- elif name and fingerprint:
+ elif name and fingerprint and not private:
print(get_certificate_fingerprint(cert, fingerprint))
return
+ elif name and private:
+ if 'private' in cert_dict and 'key' in cert_dict['private']:
+ protected = 'password_protected' in cert_dict['private']
+ private_key = load_private_key(
+ cert_dict['private']['key'],
+ passphrase=None,
+ wrap_tags=True,
+ )
+ if private_key:
+ print(encode_private_key(private_key, passphrase=None))
+ else:
+ if protected:
+ print(f'Private key for certificate "{cert_name}" is '
+ 'password-protected and cannot be displayed')
+ else:
+ print(f'Failed to load private key for certificate "{cert_name}"')
+ else:
+ print(f'No private key found for certificate "{cert_name}"')
+ return
ca_name = get_certificate_ca(cert, ca_certs)
cert_subject_cn = cert.subject.rfc4514_string().split(',')[0]