[pki-devel][PATCH] 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch
by John Magne
[MAN] Apply 'generateCRMFRequest() removed from Firefox'
workarounds to appropriate 'pki' man page
Ticket #1285
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.
To go along with this I have filed a downstream release note bug that shows exactly how to
deploy the new profile to separately create one signing cert and one encryption cert (with archival),
which allows one to accomplish what the formater caDualCert profile used to do when Firefox supported it.
7 years, 9 months
[PATCH] Added fix for pki-server for db-update
by Geetika Kapoor
Hi,
Please review this patch.Below is a small summary about this fix and
what we are trying to achieve.
CLI : pki-server db-upgrade
what it should be doing is if it sees that issuerName doesn't exist,NULL
it will add it itself.
Operation 1 : Search for the empty cn value for issuerName
-------------------------------------------------------------------------------
Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I
tried this it didn't show data even if i have record with empty issuerName
Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' --
This solves the purpose as it shows all the certs without issuerName
Operation 2 : If we see a empty cn value , we are replacing it with
value we get from code
------------------------------------------------------------------------------------------------------------------
< code>
cert = nss.Certificate(bytearray(attr_cert[0]))
issuer_name = str(cert.issuer)
</code>
Current : we are updating the list it the format as mentioned
'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security
Domain']
Do we want to keep this behavior or we want to overwrite it in first
place? I believe in place of we do it MOD_REPLACE.
<try:
conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName',
issuer_name)])
>
Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName',
issuer_name)])
Thanks
Geetika
7 years, 9 months
Re: [Pki-devel] [Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install
by Fraser Tweedale
On Fri, Jul 08, 2016 at 01:18:23PM +0200, Petr Spacek wrote:
> On 8.7.2016 05:42, Fraser Tweedale wrote:
> >
> > 2. If argument contains CN but it is not the "most specific"
> > RDN, move it to the front (to satisfy requirement of Dogtag
> > profile).
>
> I wonder if we can relax the requirement in Dogtag so no reordering is needed.
> After all, DN is just a name, isn't it? Why Dogtag requires particular field
> in DN?
>
Cc pki-devel@. The subject name constraint in the caCAcert profile
is:
policyset.caCertSet.1.constraint.params.pattern=CN=.*
What do you think? Can we relax or remove this constraint - or if
not, why is it required?
Thanks,
Fraser
7 years, 9 months