[Pki-devel] [PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch

Christina Fu cfu at redhat.com
Wed Apr 22 01:39:31 UTC 2015 

pushed to master:
commit e2683d6a8f6211ac58a5674aaa626814f26ebbf2

Christina

On 04/21/2015 05:57 PM, John Magne wrote:
> Looks good :
>
>
> ACK
>
> Btw, loaded up the python in pycharm and could not see any obvious warnings in the new bits of code.
>
> ----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-devel at redhat.com
> Sent: Tuesday, April 21, 2015 5:40:33 PM
> Subject: Re: [Pki-devel]	[PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch
>
> please find revised patch per comments.
>
> thanks,
> Christina
>
> On 04/21/2015 11:40 AM, John Magne wrote:
>> Some minor things I found.
>>
>> 1. +    @XmlElement
>> +    protected String san_server_cert;
>> +
>>
>> In SystemCertData.java: Name might be a bit confusing,making one think this is a cert and not san data.
>> How about something like "san_for_server_cert" ?
>>
>> 2. In methods:  public static void injectSANextensionIntoRequest(IConfigStore config,
>> +                           IRequest req) throws Exception {
>>
>> and
>>
>>    public static String buildSANSSLserverURLExtension(IConfigStore config)
>> +           throws Exception {
>>
>>
>> In file  CertUtil.java
>>
>> -Can we sanity check the input params to avoid mystery null pointers?
>> -I think we previously realized that StringTokenizer has been deprecated in favor of String.split.
>> -Could we look at the erorr checking and decide what to do when there is for instance no san data availabile.
>> In these cases the output will be kind of odd.
>>
>> 3. Still looking at the python, just wanted to get started with this minor stuff.
>>
>>     
>>
>>
>>
>> ----- Original Message -----
>>> From: "Christina Fu" <cfu at redhat.com>
>>> To: pki-devel at redhat.com
>>> Sent: Monday, April 20, 2015 5:00:47 PM
>>> Subject: Re: [Pki-devel]	[PATCH]pki-cfu-0047-Ticket-1316-Allow-adding-SAN-to-server-cert-during-t.patch
>>>
>>> now with the attachment.
>>>
>>> On 04/20/2015 02:24 PM, Christina Fu wrote:
>>>> This patch allows SAN to be specified for the server cert during
>>>> installation.
>>>> It ports some of the code from now obsolete 8.1 errata that dealt with
>>>> IP port separation, and added needed pkispawn config parameters and
>>>> example enrollment profile with SAN patterns
>>>>
>>>> note: the installation part of san injection code ported was
>>>> originally authored by mharmsen, while the backend SAN input code
>>>> (authored by myself) was already ported earlier for other purpose.
>>>>
>>>> Usage:
>>>> * under /usr/share/pki/ca/conf, you will find a new file called
>>>> serverCert.profile.exampleWithSANpattern
>>>> * copy existing serverCert.profile away and replace with
>>>> serverCert.profile.exampleWithSANpattern
>>>> * edit serverCert.profile.exampleWithSANpattern
>>>>     - follow the instruction right above 8.default.
>>>>     - save and quit
>>>> * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
>>>>     - follow the instruction right above policyset.serverCertSet.9
>>>>     - save and quit
>>>> * save away and edit the ca config file for pkispawn: (note: you can
>>>> add multiple SAN's delimited by ',' for pki_san_server_cert
>>>>     - add the following lines, e.g.
>>>>       pki_san_inject=True
>>>>       pki_san_server_cert=host1.Example.com
>>>>     - do the same pkispawn cfg changes for kra or any other instances
>>>> that you plan on creating
>>>> * create your instance(s)
>>>>     check the sl sever cert, it should contain something like the
>>>> following:
>>>>
>>>>                   Identifier: Subject Alternative Name - 2.5.29.17
>>>>                       Critical: no
>>>>                       Value:
>>>>                           DNSName: host1.Example.com
>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-devel mailing list
>>>> Pki-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list