add a method to renew a CA certificate

c378f69c · ale · 0bce6d0c · c378f69c
Commit c378f69c authored Mar 14, 2014 by ale
Show whitespace changes
Inline Side-by-side

Showing with 31 additions and 21 deletions

autoca/ca.py autoca/ca.py +31 -21

No files found.
--- a/autoca/ca.py
+++ b/autoca/ca.py
@@ -20,17 +20,7 @@ class CA(object):
        self._init_ca()
        self._load_crl()

-    def _init_ca(self):
-        key_str, crt_str = self.storage.get_ca()
-        if key_str:
-            self.ca_key = crypto.load_privatekey(
-                crypto.FILETYPE_PEM, key_str)
-            self.ca_crt = crypto.load_certificate(
-                crypto.FILETYPE_PEM, crt_str)
-            self.public_ca_pem = crt_str
-        else:
-            log.info('initializing CA certificate and private key')
-            self.ca_key = certutil.create_rsa_key_pair(self.bits)
+    def _generate_ca_cert(self):
        ca_req = certutil.create_cert_request(
            self.ca_key, **(self.ca_subject))
        self.ca_crt = certutil.sign_certificate(
@@ -52,6 +42,26 @@ class CA(object):
            crt_str)
        self.public_ca_pem = crt_str

+    def _init_ca(self):
+        key_str, crt_str = self.storage.get_ca()
+        if key_str:
+            self.ca_key = crypto.load_privatekey(
+                crypto.FILETYPE_PEM, key_str)
+            self.ca_crt = crypto.load_certificate(
+                crypto.FILETYPE_PEM, crt_str)
+            self.public_ca_pem = crt_str
+        else:
+            log.info('initializing CA certificate and private key')
+            self.ca_key = certutil.create_rsa_key_pair(self.bits)
+            self._generate_ca_cert()
+
+    def renew_ca(self):
+        if not self.ca_key:
+            log.error('CA private key not available')
+            return
+        log.info('renewing CA certificate')
+        self._generate_ca_cert()
+
    def get_ca(self):
        return self.public_ca_pem

@@ -77,7 +87,7 @@ class CA(object):
            crypto.X509Extension('extendedKeyUsage', False,
                                 server and 'serverAuth' or 'clientAuth'),
            crypto.X509Extension('nsCertType', False,
-                                 server and 'server' or 'client'),
+                                 server and 'client, server' or 'client'),
            ]
        cert = certutil.sign_certificate(
            req, self.ca_key, self.ca_crt, new_serial, days,