[Pki-devel] [PATCH] 0026 Add lightweight sub-CA support

G'day, The first major patch for lightweight sub-CAs is attached for review. Some important features are not yet implemented in this patch: - Sub-CA creation - Caching of sub-CA instances - Signing key replication for clones - CRLs (the OCSP servlet works for sub-CAs, however) - Sub-CA support is possibly missing from some web servlets / templates. Let me know if you hit any. Because sub-CA creation is not implemented, if you want to test this patch you will need to: 1. Use the top-level CA to sign a sub-CA certificate and manually install it in the NSSDB with the nickname: "${TOPLEVEL_CA_NICKNAME} ${SUB_CA_HANDLE}" 2. Create the sub-CA certificate repository OU: "ou=${SUB_CA_HANDLE},ou=certificateRepository,ou=ca,o=pki-tomcat-CA" 3. When submitting requests or other queries via HTTP, edit the initial link target or form action to include the query parameter: "?caRef=${SUB_CA_HANDLE}" (Subsequent pages should not require this intervention.) I have also updated the design proposal with some refinements and details of the implementation so far: http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs Looking forward to your feedback / bug reports! Fraser