This is what I have so far. Just a few comments on the overall logic.
I'm not making any Python coding-specific comments.
1 in base/server/python/pki/server/deployment/scriptlets/configuration.py
doesn't this just add the leaf cert rather than the whole chain? In
other words, if your chain contains 2 or more certs, only the leaf subca
cert is added, isn't it?
+ nssdb.add_cert(
+ nickname=external_ca_nickname,
+ cert_file=external_ca_cert_chain_file,
+ trust_attributes='CTu,CTu,CTu')
2 Also in the same file
+ # If specified, import externally-signed CA cert in NSS database.
...
Shouldn't there be a case when the externally signed ca keys were
generated on the hsm, you'd then need to import the issued externally
signed ca cert into the hsm db as well?
3 base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
I"m not seeing the following method being called, yet the getExternal()
is being called...did I miss something?
+ public void setExternal(Boolean external) {
+ this.external = external;
+ }
4. base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+ public static void loadCert(Cert cert) throws Exception {
...
+ // create certificate record to reserve the serial number in internal database
+ ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta);
+ cr.addCertificateRecord(record);
In case of an externally signed ca or existing ca, why would you need to
reserve the serial number or even add in the certificate repository?
5.
Finally, please add comments to explain the cases for clarification...
such as "stand-alone v.s. external; step 1, step 2, etc." For example,
it seems the "external" could imply "existing" as well in terms of ca
cert, you might want to put in comment.
Christina
On 11/16/2015 09:24 AM, Endi Sukma Dewata wrote:
On 11/9/2015 1:59 PM, Endi Sukma Dewata wrote:
> The CA certificate request and signing processes have been moved
> from the configuration servlet into the deployment scriptlet. This
> way the admin will have the option to:
>
> * generate self-signed CA certificate
> * import externally-signed CA certificate
> * import existing CA certificate
>
> before the server is started for the first time.
>
>
https://fedorahosted.org/pki/ticket/456
>
> Note: This is a preliminary patch. There are some unfinished works.
Attached is the actual patch.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel