<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>pushed to master:</p>
    <p><span class="comment_text comment_body">commit
        8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb</span></p>
    <p><span class="comment_text comment_body">thanks,</span></p>
    <p><span class="comment_text comment_body">Christina<br>
      </span></p>
    <br>
    <div class="moz-cite-prefix">On 05/19/2017 06:36 PM, John Magne
      wrote:<br>
    </div>
    <blockquote
      cite="mid:1081838551.193093.1495244212520.JavaMail.zimbra@redhat.com"
      type="cite">
      <pre wrap="">ACK:

Just make sure these changed constraints don't have any negative effect on existing profiles that use those constraints..

----- Original Message -----
From: "Christina Fu" <a class="moz-txt-link-rfc2396E" href="mailto:cfu@redhat.com"><cfu@redhat.com></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:pki-devel@redhat.com">pki-devel@redhat.com</a>
Sent: Friday, May 19, 2017 5:31:37 PM
Subject: [Pki-devel] [PATCH]    Ticket-2618-feature-pre-signed-CMC-renewal-request.patch



This patch is for <a class="moz-txt-link-freetext" href="https://pagure.io/dogtagpki/issue/2618">https://pagure.io/dogtagpki/issue/2618</a> allow CA to process pre-signed CMC renewal cert requests 

Ticket#2618 feature: pre-signed CMC renewal request 

This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. 
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. 
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. 
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. 


Thanks, 

Christina 

_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>