summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-04 07:33:43 +0000
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-04 07:33:43 +0000
commitc64f2d2b15ea42ef4a99f74825c527b253626c72 (patch)
tree517b7f279db028546df1286e3734d22e057ef3e1
parent037ea2ced91232a797f0414ed60099d873d543a6 (diff)
downloadkcmldapcontroller-c64f2d2b.tar.gz
kcmldapcontroller-c64f2d2b.zip
Update CRL independently of root CA
Diffstat
-rw-r--r--cert-updater/main.cpp47
1 files changed, 32 insertions, 15 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 5656a5f..2933ba3 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -155,6 +155,14 @@ int main(int argc, char *argv[])
else {
if (realmCAMaster == fqdn) {
printf("This server is the realm CA master\n"); fflush(stdout);
+
+ TQString realmname = m_defaultRealm.upper();
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "";
+ credentials->password = "";
+ credentials->realm = realmname;
+ LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
if (certExpiry >= now) {
@@ -164,27 +172,13 @@ int main(int argc, char *argv[])
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
- TQString realmname = m_defaultRealm.upper();
- LDAPCredentials* credentials = new LDAPCredentials;
- credentials->username = "";
- credentials->password = "";
- credentials->realm = realmname;
- LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
-
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQString errorstring;
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
}
- // CRL
- if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) {
- printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
- }
-
ca_modified = true;
-
- delete ldap_mgr;
}
// Set permissions
@@ -196,6 +190,28 @@ int main(int argc, char *argv[])
else {
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
}
+
+ // Check CRL expiry
+ TQByteArray certificateContents;
+ if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) {
+ certExpiry = LDAPManager::getCertificateExpiration(certificateContents);
+ if (certExpiry >= now) {
+ printf("CRL expires %s\n", certExpiry.toString().ascii()); fflush(stdout);
+ }
+ if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+ printf("Regenerating CRL...\n"); fflush(stdout);
+ LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
+
+ // Upload the new CRL to the LDAP server
+ if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) {
+ printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
+ }
+
+ ca_modified = true;
+ }
+ }
+
+ delete ldap_mgr;
}
else {
printf("This server is a realm CA slave\n"); fflush(stdout);
@@ -270,8 +286,9 @@ int main(int argc, char *argv[])
}
}
- if (ca_modified)
+ if (ca_modified) {
force_update = true;
+ }
// Kerberos
if (TQFile::exists(kdc_certfile)) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-01 12:13:15 +0000