acidprime/genMachineCert.py

## genMachineCert.py
#!/System/Library/Frameworks/Python.framework/Versions/2.6/bin/python
openssl         = '/usr/bin/openssl'
curl            = '/usr/bin/curl'
sed             = '/usr/bin/sed'
kinit           = '/usr/bin/kinit'
import urllib
import re
from subprocess import Popen, PIPE, STDOUT

## Get TGT via kinit - If 2k3, use password method if 2k8
def getTGTkinit(machine_name):
  arguments = [ kinit,
      '-k',
      '%s$' % machine_name,
  ]
  execute = Popen(arguments, stdout=PIPE)
  out, err = execute.communicate()

def generateMachineCSR(machine_name,key,csr):
  arguments = [
    openssl,
    'req',
    '-new',
    '-batch',
    '-newkey',
    'rsa:2048',
    '-nodes',
    '-keyout',
    '%s' % key,
    '-out',
    '%s' % csr,
    '-subj',
    '/CN=%s$' % machine_name ,
  ]

  execute = Popen(arguments, stdout=PIPE)
  out, err = execute.communicate()

def curlCsr(csr,cert_type,ca_url):
  # Someday we might use this instead of curl
  # http://trac.calendarserver.org/browser/PyKerberos

  cert_request = open(csr, 'r').read()

  request_dict = { 'CertRequest' : cert_request }
  encoded_csr = urllib.urlencode(request_dict)

  arguments = [
    curl,
    '--negotiate',
    '-A',
    'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5',
    '-u',
    ':',
    '-d',
    encoded_csr,
    '-d',
    'SaveCert=yes',
    '-d',
    'Mode=newreq',
    '-d',
    "CertAttrib=CertificateTemplate:%s" % cert_type,
    "%s/certfnsh.asp" % ca_url,
  ]

  print 'Attempting to get Request ID...'

  execute = Popen(arguments, stdout=PIPE)
  out, err = execute.communicate()

  req_id_regex = re.search(".*location=\"certnew.cer\?ReqID=(\d+).*",out)

  req_id        = req_id_regex.group(1)

  print 'REQ_ID: %s' % req_id


ca_server = 'WIN-7PO3B92M2FP.wallcity.org'
ca_url    = "http://%s/certsrv" % ca_server

generateMachineCSR('plex','/tmp/machine.key','/tmp/machine.csr')
getTGTkinit('plex')
	#!/System/Library/Frameworks/Python.framework/Versions/2.6/bin/python
	openssl = '/usr/bin/openssl'
	curl = '/usr/bin/curl'
	sed = '/usr/bin/sed'
	kinit = '/usr/bin/kinit'
	import urllib
	import re
	from subprocess import Popen, PIPE, STDOUT

	## Get TGT via kinit - If 2k3, use password method if 2k8
	def getTGTkinit(machine_name):
	arguments = [ kinit,
	'-k',
	'%s$' % machine_name,
	]
	execute = Popen(arguments, stdout=PIPE)
	out, err = execute.communicate()

	def generateMachineCSR(machine_name,key,csr):
	arguments = [
	openssl,
	'req',
	'-new',
	'-batch',
	'-newkey',
	'rsa:2048',
	'-nodes',
	'-keyout',
	'%s' % key,
	'-out',
	'%s' % csr,
	'-subj',
	'/CN=%s$' % machine_name ,
	]

	execute = Popen(arguments, stdout=PIPE)
	out, err = execute.communicate()

	def curlCsr(csr,cert_type,ca_url):
	# Someday we might use this instead of curl
	# http://trac.calendarserver.org/browser/PyKerberos

	cert_request = open(csr, 'r').read()

	request_dict = { 'CertRequest' : cert_request }
	encoded_csr = urllib.urlencode(request_dict)

	arguments = [
	curl,
	'--negotiate',
	'-A',
	'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5',
	'-u',
	':',
	'-d',
	encoded_csr,
	'-d',
	'SaveCert=yes',
	'-d',
	'Mode=newreq',
	'-d',
	"CertAttrib=CertificateTemplate:%s" % cert_type,
	"%s/certfnsh.asp" % ca_url,
	]

	print 'Attempting to get Request ID...'

	execute = Popen(arguments, stdout=PIPE)
	out, err = execute.communicate()

	req_id_regex = re.search(".location=\"certnew.cer\?ReqID=(\d+).",out)

	req_id = req_id_regex.group(1)

	print 'REQ_ID: %s' % req_id


	ca_server = 'WIN-7PO3B92M2FP.wallcity.org'
	ca_url = "http://%s/certsrv" % ca_server

	generateMachineCSR('plex','/tmp/machine.key','/tmp/machine.csr')
	getTGTkinit('plex')