NAME

NCM::Component::FreeIPA::NSS handles the certificates using NSS.

Public methods

  • new

    Returns a NSS object with nssdb, accepts the following options

    • format: dbm or sql
    • realm: IPA realm, used for CA nick
    • cacrt: IPA CA crt location, default to /etc/ipa/ca.crt
    • csr_bits: key size in bits for a new csr.
    • owner, group, mode: owner, group and permissions for nssdb and/or certs

    • log

      A logger instance (compatible with CAF::Object).

  • setup_nssdb

    Setup and initialise nssdb dirrectory

  • setup

    Setup temporary workdir with 0700 permissions, and initialise nssdb using setup_nssdb method.

    Return SUCCESS on success, undef otherwise.

  • add_cert_trusted

    Add trusted certificate with nick from file crt.

  • add_cert_ca

    Add trusted CA certificate (nick and file via canick and cacrt attributes)

  • add_cert

    Add untrusted certificate to NSSDB with nick from file cert.

  • has_cert

    Check if certificate for nick exists in NSSDB.

    If an ipa client instance is passed, also check if the certificate is known in FreeIPA.

  • get_cert

    Extract the certificate from NSSDB for nick to file cert with owner/group/mode options..

  • make_cert_request

    Make a certificate request for fqdn and optional dn, return filename of the CSR. (Used DN is <CN=<fqdn,O=<realm>>>).

  • ipa_request_cert

    Use NCM::Component::FreeIPA::Client instance ipa to make the certificate request using csr file. The certificate is stored in crt file.

    (The ipa instance should be usable, e.g. the correct kerberos environment is already setup).

    Return 1 on success, undef otherwise.

  • get_privkey

    Retrieve the private key from certificate with nick nick and save it in the file key with owner/group/mode options.

  • get_cert_or_key

    Given type, retrieve the cert of private key from certificate with nick nick and save it in the file fn with owner/group/mode options.