This is what I have so far. Just a few comments on the overall
logic. I'm not making any Python coding-specific comments.
1 in
base/server/python/pki/server/deployment/scriptlets/configuration.py
doesn't this just add the leaf cert rather than the whole chain? In
other words, if your chain contains 2 or more certs, only the leaf
subca cert is added, isn't it?
+ nssdb.add_cert(
+ nickname=external_ca_nickname,
+ cert_file=external_ca_cert_chain_file,
+ trust_attributes='CTu,CTu,CTu')
2 Also in the same file
+ # If specified, import externally-signed CA cert in NSS database.
...
Shouldn't there be a case when the externally signed ca keys were
generated on the hsm, you'd then need to import the issued
externally signed ca cert into the hsm db as well?
3
base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
I"m not seeing the following method being called, yet the
getExternal() is being called...did I miss something?
+ public void setExternal(Boolean external) {
+ this.external = external;
+ }
4. base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+ public static void loadCert(Cert cert) throws Exception {
...
+ // create certificate record to reserve the serial number in internal database
+ ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta);
+ cr.addCertificateRecord(record);
In case of an externally signed ca or existing ca, why would you
need to reserve the serial number or even add in the certificate
repository?
5.
Finally, please add comments to explain the cases for
clarification... such as "stand-alone v.s. external; step 1, step 2,
etc." For example, it seems the "external" could imply "existing"
as well in terms of ca cert, you might want to put in comment.
Christina
On 11/16/2015 09:24 AM, Endi Sukma
Dewata wrote:
On
11/9/2015 1:59 PM, Endi Sukma Dewata wrote:
The CA certificate request and signing
processes have been moved
from the configuration servlet into the deployment scriptlet.
This
way the admin will have the option to:
* generate self-signed CA certificate
* import externally-signed CA certificate
* import existing CA certificate
before the server is started for the first time.
https://fedorahosted.org/pki/ticket/456
Note: This is a preliminary patch. There are some unfinished
works.
Attached is the actual patch.
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel