summaryrefslogtreecommitdiff
path: root/src/op_mode/pki.py
AgeCommit message (Collapse)Author
2024-06-24pki: T4026: Only emit private keys when available (#3667)mergify[bot]
* install_certificate() code path handles private_key=None & key_passphrase=None OK already * file and console output paths will error trying to encode None as a key * This is only an issue for a couple of the generate_*_sign() functions, where having a null private key is possible * Self-signing and CA creation always generate a private key * Certreqs will generate a private key if not already provided * Do not prompt for a private key passphrase if we aren't giving back a private key (cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37) Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
2024-05-26op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificatesChristian Breunig
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2 (cherry picked from commit b6ee07c7efbb818787deba20116f4289853fb5c9)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2023-11-16T3983: show pki certificate Doesnt show x509 certificatesJeffWDH
(cherry picked from commit 36de14913e0f4370d7c4e2828032a5378d3bba77)
2023-08-14pki: T5477: use Config instead of ConfigTreeQuery for defaultsJohn Estabrook
2023-08-10T5434: use auto-defaults in op-mode pki.pyJohn Estabrook
2023-08-09pki: T5273: add a certificate fingerprint commandDaniil Baturin
2023-07-15T5195: vyos.util -> vyos.utils package refactoring part #2Christian Breunig
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-07-11pki: T5275: Add op-mode output options for PEM formatsarthurdev
2023-04-18pki: T3642: Fix show command if no CA certs are presentsarthurdev
2022-05-31pki: T3642: Enable `generate pki openvpn ...` to install into configsarthurdev
2022-05-30pki: T3642: Add ability to import files into PKi configurationsarthurdev
2021-11-09pki: T3970: Allow op-mode PKI commands in a config session to install directlysarthurdev
2021-09-26op-mode: pki: T3826: perform input validation when listing certificatesChristian Poessinger
2021-09-10wireguard: T3642: directly import keys to CLI when run in config modeChristian Poessinger
vyos@vyos# run generate pki wireguard key-pair install interface wg10 "generate" CLI command executed from config session. Generated private-key was imported to CLI! Use the following command to verify: show interfaces wireguard wg10 Corresponding public-key to use on peer system is: 'hGaWcoG7f+5sPAUY/MNQH1JFhsYdsGTecYA9S2J8xGs=' vyos@vyos# run generate pki wireguard preshared-key install interface wg10 peer vyos "generate" CLI command executed from config session. Generated preshared-key was imported to CLI! Use the following command to verify: show interfaces wireguard wg10 vyos@vyos# show interfaces wireguard wg10 +peer vyos { + preshared-key OwTALZy8w6VIBMxUwbOv6Ys7QMyhrtY4aw+0cUjmmCw= +} +private-key 0Pu95CejvCUCCwrTW39TCYnitESWAdIIFTVJb7UgxVU= [edit]
2021-09-09wireguard: T3642: improve "set" commands for generated key-pairsChristian Poessinger
2021-09-09pki: T3642: use f'ormated strings in print()Christian Poessinger
2021-09-09pki: wireguard: T3815: do not bail out early so keys can be written to fileChristian Poessinger
2021-08-23pki: T3642: use ConfigTreeQuery() instead of Config() from op-modeChristian Poessinger
2021-08-13pki: T3752: Fix file output for certificate requestssarthurdev
2021-07-23pki: T3642: Add ability to write generated certificates/keys to specified ↵sarthurdev
filenames
2021-07-19pki: wireguard: T3642: Migrate Wireguard private key directly into CLIsarthurdev
Also renames peer pubkey to public-key for consistency
2021-07-05pki: T3642: Support for adding SANs on certificate requestssarthurdev
2021-07-04pki: T3642: Add standard extensions to generated certificatessarthurdev
2021-07-03pki: T3642: Fix for correct method on encoding certificate requestsarthurdev
2021-07-03pki: T3642: Add support for signing and revoking subordinate CAssarthurdev
2021-06-29pki: ipsec: T3642: Migrate IPSec to use PKI configurationsarthurdev
2021-06-29pki: T3642: New PKI config and managementsarthurdev