[Freeipa-devel] [RFE] CA-less install
Petr Viktorin
pviktori at redhat.com
Fri Mar 29 11:57:28 UTC 2013
On 03/27/2013 04:40 PM, John Dennis wrote:
> On 03/27/2013 11:23 AM, Petr Viktorin wrote:
>> I don't want to check the subject because this RFE was prompted by IPA's
>> normal CA rejecting valid wildcart certs. Is there a reasonable way to
>> ask NSS if it will trust the cert?
>
> Yes. NSS provides a variety of tools to test validation.
>
> Going just on memory here, our current version of python-nss has a
> simple call to test validation. Sometime in the last year I added a fair
> amount of new support for certificate validation including getting back
> diagnostic information for validation failures, however if I recall
> correctly the extended functionality in python-nss has not been released
> yet.
Does the new code include downloading and importing CRLs?
> Finding time to work on python-nss has been a problem. This is further
> complicated by the fact Mozilla has changed from CVS to Mercurial while
> I had this code in development and I haven't moved over to the new
> distributed SCM yet.
--
Petr³
More information about the Freeipa-devel
mailing list