<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
This is what I have so far. Just a few comments on the overall
logic. I'm not making any Python coding-specific comments.<br>
<br>
1 in
base/server/python/pki/server/deployment/scriptlets/configuration.py<br>
doesn't this just add the leaf cert rather than the whole chain? In
other words, if your chain contains 2 or more certs, only the leaf
subca cert is added, isn't it?<br>
<pre wrap="">+ nssdb.add_cert(
+ nickname=external_ca_nickname,
+ cert_file=external_ca_cert_chain_file,
+ trust_attributes='CTu,CTu,CTu')
</pre>
2 Also in the same file<br>
+ # If specified, import externally-signed CA cert in NSS database.<br>
...<br>
Shouldn't there be a case when the externally signed ca keys were
generated on the hsm, you'd then need to import the issued
externally signed ca cert into the hsm db as well?<br>
<br>
3
base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java<br>
I"m not seeing the following method being called, yet the
getExternal() is being called...did I miss something?<br>
<pre>+ public void setExternal(Boolean external) {</pre>
<pre>+ this.external = external;
+ }
4. base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+ public static void loadCert(Cert cert) throws Exception {
...
+ // create certificate record to reserve the serial number in internal database
+ ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta);
+ cr.addCertificateRecord(record);
</pre>
In case of an externally signed ca or existing ca, why would you
need to reserve the serial number or even add in the certificate
repository?<br>
<br>
5.<br>
Finally, please add comments to explain the cases for
clarification... such as "stand-alone v.s. external; step 1, step 2,
etc." For example, it seems the "external" could imply "existing"
as well in terms of ca cert, you might want to put in comment.<br>
<br>
Christina<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 11/16/2015 09:24 AM, Endi Sukma
Dewata wrote:<br>
</div>
<blockquote cite="mid:564A1134.2010406@redhat.com" type="cite">On
11/9/2015 1:59 PM, Endi Sukma Dewata wrote:
<br>
<blockquote type="cite">The CA certificate request and signing
processes have been moved
<br>
from the configuration servlet into the deployment scriptlet.
This
<br>
way the admin will have the option to:
<br>
<br>
* generate self-signed CA certificate
<br>
* import externally-signed CA certificate
<br>
* import existing CA certificate
<br>
<br>
before the server is started for the first time.
<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/456">https://fedorahosted.org/pki/ticket/456</a>
<br>
<br>
Note: This is a preliminary patch. There are some unfinished
works.
<br>
</blockquote>
<br>
Attached is the actual patch.
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</body>
</html>