[Pki-devel] [PATCH] 657 Refactored CA certificate generation.

Christina Fu cfu at redhat.com
Tue Nov 17 01:48:38 UTC 2015 

This is what I have so far.  Just a few comments on the overall logic.  
I'm not making any Python coding-specific comments.

1 in base/server/python/pki/server/deployment/scriptlets/configuration.py
doesn't this just add the leaf cert rather than the whole chain? In 
other words, if your chain contains 2 or more certs, only the leaf subca 
cert is added, isn't it?

+                    nssdb.add_cert(
+                        nickname=external_ca_nickname,
+                        cert_file=external_ca_cert_chain_file,
+                        trust_attributes='CTu,CTu,CTu')

2 Also in the same file
+ # If specified, import externally-signed CA cert in NSS database.
...
Shouldn't there be a case when the externally signed ca keys were 
generated on the hsm, you'd then need to import the issued externally 
signed ca cert into the hsm db as well?

3 base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
I"m not seeing the following method being called, yet the getExternal() 
is being called...did I miss something?

+    public void setExternal(Boolean external) {

+        this.external = external;
+    }


4. base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+    public static void loadCert(Cert cert) throws Exception {
...
+        // create certificate record to reserve the serial number in internal database
+        ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta);
+        cr.addCertificateRecord(record);

In case of an externally signed ca or existing ca, why would you need to 
reserve the serial number or even add in the certificate repository?

5.
Finally, please add comments to explain the cases for clarification... 
such as "stand-alone v.s. external; step 1, step 2, etc."  For example, 
it seems the "external" could imply "existing" as well in terms of ca 
cert, you might want to put in comment.

Christina



On 11/16/2015 09:24 AM, Endi Sukma Dewata wrote:
> On 11/9/2015 1:59 PM, Endi Sukma Dewata wrote:
>> The CA certificate request and signing processes have been moved
>> from the configuration servlet into the deployment scriptlet. This
>> way the admin will have the option to:
>>
>> * generate self-signed CA certificate
>> * import externally-signed CA certificate
>> * import existing CA certificate
>>
>> before the server is started for the first time.
>>
>> https://fedorahosted.org/pki/ticket/456
>>
>> Note: This is a preliminary patch. There are some unfinished works.
>
> Attached is the actual patch.
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20151116/3ca52bd0/attachment.htm>

More information about the Pki-devel mailing list