diff options
| author | Indrajit Raychaudhuri <irc@indrajit.com> | 2026-05-15 18:26:54 -0500 |
|---|---|---|
| committer | Indrajit Raychaudhuri <irc@indrajit.com> | 2026-05-18 23:33:51 -0500 |
| commit | 88a50d1700cac0b38595b206f804a59592bdb3d2 (patch) | |
| tree | 96d45a46bd5e4e5b40b72159c0cda20856c68744 /src | |
| parent | 08542c03c0d1ab2c114966f6fbd4c2b7c3a45b4a (diff) | |
| download | vyos-1x-88a50d1700cac0b38595b206f804a59592bdb3d2.tar.gz vyos-1x-88a50d1700cac0b38595b206f804a59592bdb3d2.zip | |
pki: T8877: Add ability to show private key in pem format
Add op-mode command having ability to show private
key in pem format as part of PKI configuration.
This is needed for users who want to render the
certificate and its private key.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/op_mode/pki.py | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index b84b6f02a..bf8bba657 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -1252,6 +1252,7 @@ def show_certificate_authority( def show_certificate( raw: bool, name: typing.Optional[str] = None, + private: typing.Optional[bool] = False, pem: typing.Optional[bool] = False, fingerprint: typing.Optional[ArgsFingerprint] = None, ): @@ -1282,12 +1283,31 @@ def show_certificate( if not cert: continue - if name and pem: + if name and pem and not (private or fingerprint): print(encode_certificate(cert)) return - elif name and fingerprint: + elif name and fingerprint and not private: print(get_certificate_fingerprint(cert, fingerprint)) return + elif name and private: + if 'private' in cert_dict and 'key' in cert_dict['private']: + protected = 'password_protected' in cert_dict['private'] + private_key = load_private_key( + cert_dict['private']['key'], + passphrase=None, + wrap_tags=True, + ) + if private_key: + print(encode_private_key(private_key, passphrase=None)) + else: + if protected: + print(f'Private key for certificate "{cert_name}" is ' + 'password-protected and cannot be displayed') + else: + print(f'Failed to load private key for certificate "{cert_name}"') + else: + print(f'No private key found for certificate "{cert_name}"') + return ca_name = get_certificate_ca(cert, ca_certs) cert_subject_cn = cert.subject.rfc4514_string().split(',')[0] |
