From 3d1e6768bb6f7ce6968a9422bd23404d2ad27303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 2 Jan 2018 13:13:48 +0000 Subject: [PATCH] cli: Self-enroll again only if cert is about to expire --- certidude/authority.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/certidude/authority.py b/certidude/authority.py index 3e0dc06..680343a 100644 --- a/certidude/authority.py +++ b/certidude/authority.py @@ -43,10 +43,22 @@ def self_enroll(): from certidude import const common_name = const.FQDN directory = os.path.join("/var/lib/certidude", const.FQDN) - # Sign certificate used for HTTPS - public_key, private_key = asymmetric.generate_pair('rsa', bit_size=2048) - with open(os.path.join(directory, "self_key.pem"), 'wb') as fh: - fh.write(asymmetric.dump_private_key(private_key, None)) + self_key_path = os.path.join(directory, "self_key.pem") + + try: + path, buf, cert, signed, expires = get_signed(common_name) + public_key = asymmetric.load_public_key(path) + private_key = asymmetric.load_private_key(self_key_path) + except FileNotFoundError: # certificate or private key not found + with open(self_key_path, 'wb') as fh: + public_key, private_key = asymmetric.generate_pair('rsa', bit_size=2048) + fh.write(asymmetric.dump_private_key(private_key, None)) + else: + now = datetime.utcnow() + if now - timedelta(days=1) < expires: + click.echo("Certificate %s still valid, delete to self-enroll again" % path) + return + builder = CSRBuilder({"common_name": common_name}, public_key) request = builder.build(private_key) with open(os.path.join(directory, "requests", common_name + ".pem"), "wb") as fh: