[Pki-devel] [PATCH] 692 Added workaround for JSS limitation in pki pkcs12-import.
Ade Lee
alee at redhat.com
Fri Feb 26 18:14:42 UTC 2016
Acked by me. Pushed to master.
On Thu, 2016-02-25 at 16:17 -0600, Endi Sukma Dewata wrote:
> Currently JSS is unable to import CA certificates while preserving
> their nicknames. As a workaround, the pki pkcs12-import has been
> modified such that it exports individual CA certificates from PKCS
> The remaining user certificates will continue to be imported using
> JSS.
>
> A new pki pkcs12-cert-export command has been added to export
> individual certificates from PKCS #12 file into PEM files.
>
> The pki pkcs12-import has been modified to take a list of nicknames
> of the certificates to be imported into NSS database.
>
> https://fedorahosted.org/pki/ticket/1742
>
> Note:
>
> This patch depends on patch #690 and #691.
>
> This patch completes the fix of this ticket as described in the
> following page except for the third-party certificate handling (see
> discussion below):
> http://pki.fedoraproject.org/wiki/Exporting_System_Certificates
>
> To test this patch, install a CA with externally signed CA:
> http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed
> _CA_Certificate
>
> Then clone the CA:
> http://pki.fedoraproject.org/wiki/Installing_CA_Clone
>
> Verify that the certificates on the master and replica are identical
> including their nicknames.
>
> To handle proxy certificate for IPA, we can either implement the
> cs.thirdparty.cert properties as described in the above page, but IPA
> would have to add the properties during the installation. Also IPA
> would
> have to add the properties to all existing installations. Then IPA
> needs
> to call pki-server ca-clone-prepare to export the certificates for
> cloning. If the properties exist, the command will need to export the
> third-party certificates into the PKCS #12 file along with other CA
> certs. Then IPA will need to add the same properties into the clone.
>
> Or, IPA can manage the proxy certificate themselves. Since IPA has
> already added the proxy cert into master, IPA can also add the proxy
> cert into the PKCS #12 file generated by pki-server ca-clone-prepare
> using this command:
>
> pki -d /var/lib/pki/pki-tomcat/alias -C nssdb-password.txt \
> pkcs12-cert-add "subsystemCert cert-pki-tomcat" \
> --pkcs12 pki-server.p12 \
> --pkcs12-password-file password.txt
>
> With the second option there's no further changes required in PKI.
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list