[FEATURE REQUEST] tls.create_pkcs12 should support setting a friendlyname for the PKCS #12 structure. #65399
Description
Is your feature request related to a problem? Please describe.
I need to create a pkcs12 as an intermediate step in creating a java keystore. When I import the pkcs12 into the java keystore, I want to use an alias for the certificate chain in the pkcs12.
Describe the solution you'd like
The function create_pkcs12 in salt/modules/tls.py should be updated to call set_friendlyname() if a friendlyname argument is passed to it.
Describe alternatives you've considered
We are currently creating the pkcs12 files using a cmd.run call.
Additional context
Here is a state file which does all the steps to create the pkcs12 file and them import it into a java keystore.
'salt-call tls.create_ca mytest':
module.run:
- tls.create_ca:
- mytest
- creates: /etc/pki/mytest
'salt-call tls.create_csr mytest CN=mycert':
module.run:
- tls.create_csr:
- mytest
- CN: mycert
- creates: /etc/pki/mytest/certs/mycert.csr
- watch:
- module: 'salt-call tls.create_ca mytest'
'salt-call tls.create_ca_signed_cert mytest mycert':
module.run:
- tls.create_ca_signed_cert:
- mytest
- mycert
- creates: /etc/pki/mytest/certs/mycert.crt
- watch:
- module: 'salt-call tls.create_csr mytest CN=mycert'
'create mycert.p12':
module.run:
- tls.create_pkcs12:
- ca_name: mytest
- CN: mycert
- passphrase: changeit
- friendlyname: mycert
- creates: "/etc/pki/mytest/certs/mycert.p12"
- watch:
- module: 'salt-call tls.create_ca mytest'
- module: 'salt-call tls.create_csr mytest CN=mycert'
- module: 'salt-call tls.create_ca_signed_cert mytest mycert'
'create mycert.jks':
cmd.run:
- name: "/usr/bin/keytool -importkeystore -deststorepass 'changeit' -destkeypass 'changeit' -destkeystore /etc/pki/mytest/certs/mycert.jks -srckeystore /etc/pki/mytest/certs/mycert.p12 -srcstoretype PKCS12 -srcstorepass 'changeit' -alias 'mycert'"
- creates: "/etc/pki/mytest/certs/mycert.jks"
- onchanges:
- module: 'create mycert.p12'And a git diff showing a solution:
$ git diff
diff --git a/salt/modules/tls.py b/salt/modules/tls.py
index b74b765..abac657 100644
--- a/salt/modules/tls.py
+++ b/salt/modules/tls.py
@@ -1555,7 +1555,7 @@ def create_ca_signed_cert(
)
-def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False, friendlyname=None):
"""
Create a PKCS#12 browser certificate for a particular Certificate (CN)
@@ -1569,6 +1569,8 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
absolute path to ca certificates root directory
replace
Replace this certificate even if it exists
+ friendlyname
+ a friendly name for the PKCS #12 structure
.. versionadded:: 2015.5.1
@@ -1626,6 +1628,8 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
pkcs12.set_certificate(cert)
pkcs12.set_ca_certificates([ca_cert])
pkcs12.set_privatekey(key)
+ if friendlyname:
+ pkcs12.set_friendlyname(salt.utils.stringutils.to_bytes(friendlyname))
with salt.utils.files.fopen(
"{}/{}/certs/{}.p12".format(cert_base_path(), ca_name, CN), "wb"
Please Note
If this feature request would be considered a substantial change or addition, this should go through a SEP process here https://github.com/saltstack/salt-enhancement-proposals, instead of a feature request.