[PATCH] Fixed adminEnroll servlet browser import issue
by Matthew Harmsen
Please review the attached patch which addresses:
* PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template
succeeds but fails on import into browser
<https://fedorahosted.org/pki/ticket/1669>
This was tested on Fedora 23 by doing the following:
* installed and configured a CA
* Successfully tested enrollment in a browser after importing the
original Admin certificate
* systemctl stop pki-tomcatd(a)pki-tomcat.service
* edited /etc/pki/pki-tomcat/ca/CS.cfg to set:
o ca.Policy.enable=true
o cmsgateway.enableAdminEnroll=true
* systemctl start pki-tomcatd(a)pki-tomcat.service
* created a new Firefox profile
* traversed to the EE page, went to the Retrieval tab, imported the CA
cert, and trusted it
* within this new profile, traversed to
https://pki.example.com:8443/ca/admin/ca/adminEnroll.html, and
filled out the form
* with this patch installed, it should generate a new admin
certificate and import it successfully into this new profile -- to
check, attempt to use the imported admin certificate to traverse to
the Agents page
8 years, 4 months
[PATCH] 0084..0086 Lightweight CA replication support
by Fraser Tweedale
Hi all,
The attached patches implement replication support for lightweight
CAs. These patches do not implement key replication via Custodia
(my next task) but they do implement the persistent search thread
and appropriate** API behaviour when the signing keys are not yet
available.
** In most cases, we respond 503 Service Unavailable; this is open
for discussion. ca-authority-find and ca-authority-show include
a boolean field indicating whether the CA is ready to sign.
There might be (probably are) endpoints I've missed.
Cheers,
Fraser
8 years, 4 months
[PATCH] 297, 298 add validity check for external CA
by Ade Lee
commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
Author: Ade Lee <alee(a)redhat.com>
Date: Fri Apr 22 15:31:43 2016 -0400
Add validity check for the signing certificate in pkispawn
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
commit 9104fdda145c4f2bbbedec7256c73922e8bffcef
Author: Ade Lee <alee(a)redhat.com>
Date: Wed Apr 20 17:26:23 2016 -0400
Add CLI to check system certificate status
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
8 years, 4 months