[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 692 Added workaround for JSS limitation in pki pkcs12-import.



Acked by me.  Pushed to master.

On Thu, 2016-02-25 at 16:17 -0600, Endi Sukma Dewata wrote:
> Currently JSS is unable to import CA certificates while preserving
> their nicknames. As a workaround, the pki pkcs12-import has been
> modified such that it exports individual CA certificates from PKCS
> The remaining user certificates will continue to be imported using
> JSS.
> 
> A new pki pkcs12-cert-export command has been added to export
> individual certificates from PKCS #12 file into PEM files.
> 
> The pki pkcs12-import has been modified to take a list of nicknames
> of the certificates to be imported into NSS database.
> 
> https://fedorahosted.org/pki/ticket/1742
> 
> Note:
> 
> This patch depends on patch #690 and #691.
> 
> This patch completes the fix of this ticket as described in the 
> following page except for the third-party certificate handling (see 
> discussion below):
> http://pki.fedoraproject.org/wiki/Exporting_System_Certificates
> 
> To test this patch, install a CA with externally signed CA:
> http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed
> _CA_Certificate
> 
> Then clone the CA:
> http://pki.fedoraproject.org/wiki/Installing_CA_Clone
> 
> Verify that the certificates on the master and replica are identical 
> including their nicknames.
> 
> To handle proxy certificate for IPA, we can either implement the 
> cs.thirdparty.cert properties as described in the above page, but IPA
> would have to add the properties during the installation. Also IPA
> would 
> have to add the properties to all existing installations. Then IPA
> needs 
> to call pki-server ca-clone-prepare to export the certificates for 
> cloning. If the properties exist, the command will need to export the
> third-party certificates into the PKCS #12 file along with other CA 
> certs. Then IPA will need to add the same properties into the clone.
> 
> Or, IPA can manage the proxy certificate themselves. Since IPA has 
> already added the proxy cert into master, IPA can also add the proxy 
> cert into the PKCS #12 file generated by pki-server ca-clone-prepare 
> using this command:
> 
> pki -d /var/lib/pki/pki-tomcat/alias -C nssdb-password.txt \
>   pkcs12-cert-add "subsystemCert cert-pki-tomcat" \
>    --pkcs12 pki-server.p12 \
>    --pkcs12-password-file password.txt
> 
> With the second option there's no further changes required in PKI.
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel redhat com
> https://www.redhat.com/mailman/listinfo/pki-devel


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]