[Pki-devel] [PATCH] 0113..0114 Lightweight CAs: renewal support
Endi Sukma Dewata
edewata at redhat.com
Fri Jun 3 03:28:00 UTC 2016
On 5/17/2016 12:26 AM, Fraser Tweedale wrote:
> Attached patches implement LWCA renewal support
> (https://fedorahosted.org/pki/ticket/2327).
>
> It includes REST API
>
> POST /ca/rest/authorities/<id>/renew
>
> But not implemented in CLI tool yet. If we decide to make it a
> first-class CLI feature (cf certmonger, IPA, etc managing the
> renewal) then I'll file the ticket and implement it at that time.
>
> Cheers,
> Fraser
Some comments:
1. This is related to patch #111 too. Suppose an authority is
added/deleted/renewed in one replica while another replica is down, when
the second replica is brought back up will it know that it's missing the
changes and be able to update the NSSDB accordingly?
I'm thinking when the server is started there should be a process to
synchronize the NSSDB with the authorities in LDAP. Do we have something
like that already, or is this not an issue?
2. The locale object for the RenewalProcessor should be obtained from
the client, not from the server. See PKIService.getLocale(). In this
case you probably need to pass HttpServletRequest to the renewAuthority().
3. The HttpServletRequest can be used to call processRenewal() as well.
I think #1 can be done separately later. The patches are ACKed assuming
#2 and #3 are addressed.
--
Endi S. Dewata
More information about the Pki-devel
mailing list