diff options
| author | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2015-09-04 07:33:43 +0000 |
|---|---|---|
| committer | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2015-09-04 07:33:43 +0000 |
| commit | c64f2d2b15ea42ef4a99f74825c527b253626c72 (patch) | |
| tree | 517b7f279db028546df1286e3734d22e057ef3e1 | |
| parent | 037ea2ced91232a797f0414ed60099d873d543a6 (diff) | |
| download | kcmldapcontroller-c64f2d2b15ea42ef4a99f74825c527b253626c72.tar.gz kcmldapcontroller-c64f2d2b15ea42ef4a99f74825c527b253626c72.zip | |
Update CRL independently of root CA
| -rw-r--r-- | cert-updater/main.cpp | 47 |
1 files changed, 32 insertions, 15 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index 5656a5f..2933ba3 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -155,6 +155,14 @@ int main(int argc, char *argv[]) else { if (realmCAMaster == fqdn) { printf("This server is the realm CA master\n"); fflush(stdout); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); if (certExpiry >= now) { @@ -164,27 +172,13 @@ int main(int argc, char *argv[]) printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); - TQString realmname = m_defaultRealm.upper(); - LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = ""; - credentials->password = ""; - credentials->realm = realmname; - LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); - // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server TQString errorstring; if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); } - // CRL - if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) { - printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout); - } - ca_modified = true; - - delete ldap_mgr; } // Set permissions @@ -196,6 +190,28 @@ int main(int argc, char *argv[]) else { printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); } + + // Check CRL expiry + TQByteArray certificateContents; + if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) { + certExpiry = LDAPManager::getCertificateExpiration(certificateContents); + if (certExpiry >= now) { + printf("CRL expires %s\n", certExpiry.toString().ascii()); fflush(stdout); + } + if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating CRL...\n"); fflush(stdout); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); + + // Upload the new CRL to the LDAP server + if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) { + printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + ca_modified = true; + } + } + + delete ldap_mgr; } else { printf("This server is a realm CA slave\n"); fflush(stdout); @@ -270,8 +286,9 @@ int main(int argc, char *argv[]) } } - if (ca_modified) + if (ca_modified) { force_update = true; + } // Kerberos if (TQFile::exists(kdc_certfile)) { |