[Pki-devel] Review of Standalone DRM/OCSP design
Ade Lee
alee at redhat.com
Tue Sep 10 18:52:19 UTC 2013
This is a review of the design at
http://pki.fedoraproject.org/wiki/Stand-alone_PKI_Subsystems
1. We should emphasize that standalone KRA is not expected to
communicate with any other CS subsystems (excepti for its clone).
2. Cloned subsystems (OCSP and DRM) do not generate new admin certs.
They use the one from the master.
3. Standalone DRM slated for 10.1 which is F20+. Standalone OCSP is
undetermined.
4. Changes to default.cfg:
a) you need variables to specify the location of the admin cert
CSR/cert.
b) You are also going to need variables for the external CA cert
and chain, so that you can import and trust it.
pki_external_ca_cert_chain_path=
pki_external_ca_cert_path=
5. As mentioned before, its very likely that not all the servlets listed
in web.xml will be needed. You'll have to look at the access log and
see what is actually called. In general, you want to choose REST
interfaces if available, followed by admin interfaces. Keep in mind
that as standalone systems are brand new, we can expect them to have the
latest interfaces.
Other than that, looks fine.
Ade
More information about the Pki-devel
mailing list