[Pki-devel] [PATCH] Lightweight CAs
Fraser Tweedale
ftweedal at redhat.com
Mon Sep 28 07:59:45 UTC 2015
On Fri, Sep 25, 2015 at 11:30:12PM +1000, Fraser Tweedale wrote:
> There is a problem with allowing authority DNs to be reused - when
> adding the cert to the NSSDB, despite what nickname you tell it to
> you, it will put the cert under the nickname of the existing cert
> with that subject DN. Thus when you go to find the cert by
> nickname, it cannot locate it. Failure ensues. This is possibly a
> bug in NSS (it's certainly surprising), but I need more time to
> analyse it.
>
The observed NSS behaviour (one nickname for all certs with a given
Subject DN) is by design. It was a limitation in the old nssdb
design, but is now an artifical restriction to maintain the old
behaviour. There is apparently no intention / desire to remove it.
I will push forward with the subject+issuer patch, at least to get a
working proof of concept and assess how it impacts the renewal
process.
Cheers,
Fraser
More information about the Pki-devel
mailing list