[Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch
John Magne
jmagne at redhat.com
Wed Apr 22 00:57:07 UTC 2015
Looks good :
ACK
Btw, loaded up the python in pycharm and could not see any obvious warnings in the new bits of code.
----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: pki-devel at redhat.com
Sent: Tuesday, April 21, 2015 5:40:33 PM
Subject: Re: [Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch
please find revised patch per comments.
thanks,
Christina
On 04/21/2015 11:40 AM, John Magne wrote:
> Some minor things I found.
>
> 1. + @XmlElement
> + protected String san_server_cert;
> +
>
> In SystemCertData.java: Name might be a bit confusing,making one think this is a cert and not san data.
> How about something like "san_for_server_cert" ?
>
> 2. In methods: public static void injectSANextensionIntoRequest(IConfigStore config,
> + IRequest req) throws Exception {
>
> and
>
> public static String buildSANSSLserverURLExtension(IConfigStore config)
> + throws Exception {
>
>
> In file CertUtil.java
>
> -Can we sanity check the input params to avoid mystery null pointers?
> -I think we previously realized that StringTokenizer has been deprecated in favor of String.split.
> -Could we look at the erorr checking and decide what to do when there is for instance no san data availabile.
> In these cases the output will be kind of odd.
>
> 3. Still looking at the python, just wanted to get started with this minor stuff.
>
>
>
>
>
> ----- Original Message -----
>> From: "Christina Fu" <cfu at redhat.com>
>> To: pki-devel at redhat.com
>> Sent: Monday, April 20, 2015 5:00:47 PM
>> Subject: Re: [Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch
>>
>> now with the attachment.
>>
>> On 04/20/2015 02:24 PM, Christina Fu wrote:
>>> This patch allows SAN to be specified for the server cert during
>>> installation.
>>> It ports some of the code from now obsolete 8.1 errata that dealt with
>>> IP port separation, and added needed pkispawn config parameters and
>>> example enrollment profile with SAN patterns
>>>
>>> note: the installation part of san injection code ported was
>>> originally authored by mharmsen, while the backend SAN input code
>>> (authored by myself) was already ported earlier for other purpose.
>>>
>>> Usage:
>>> * under /usr/share/pki/ca/conf, you will find a new file called
>>> serverCert.profile.exampleWithSANpattern
>>> * copy existing serverCert.profile away and replace with
>>> serverCert.profile.exampleWithSANpattern
>>> * edit serverCert.profile.exampleWithSANpattern
>>> - follow the instruction right above 8.default.
>>> - save and quit
>>> * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
>>> - follow the instruction right above policyset.serverCertSet.9
>>> - save and quit
>>> * save away and edit the ca config file for pkispawn: (note: you can
>>> add multiple SAN's delimited by ',' for pki_san_server_cert
>>> - add the following lines, e.g.
>>> pki_san_inject=True
>>> pki_san_server_cert=host1.Example.com
>>> - do the same pkispawn cfg changes for kra or any other instances
>>> that you plan on creating
>>> * create your instance(s)
>>> check the sl sever cert, it should contain something like the
>>> following:
>>>
>>> Identifier: Subject Alternative Name - 2.5.29.17
>>> Critical: no
>>> Value:
>>> DNSName: host1.Example.com
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list