ACK:
Just make sure these changed constraints don't have any negative effect on existing
profiles that use those constraints..
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Friday, May 19, 2017 5:31:37 PM
Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch
This patch is for
https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed
CMC renewal cert requests
Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to process pre-signed CMC
renewal requests. In the world of CMC, renewal request are full CMC requests that are
signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced
profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked
certificate. It also saves the origNotAfter of the newest certificate sharing the same key
in the request to be used by the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint
and RenewGracePeriodConstraint. They must be placed in the correct order. By default in
the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
Thanks,
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel