This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed CMC renewal cert requests
Ticket#2618 feature:
pre-signed CMC renewal request
This patch provides the feature implementation to allow CA
to process pre-signed CMC renewal requests. In the world of
CMC, renewal request are full CMC requests that are signed by
previously issued signing certificate.
The implementation approach is to use the
caFullCMCUserSignedCert with the enhanced profile constraint:
UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal
of same key shared by a revoked certificate. It also saves
the origNotAfter of the newest certificate sharing the same
key in the request to be used by the
RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated
to have both UniqueKeyConstraint and
RenewGracePeriodConstraint. They must be placed in the
correct order. By default in the UniqueKeyConstraint the
constraint parameter allowSameKeyRenewal=true.
Thanks,
Christina