[Pki-devel] [PATCH] 297, 298 add validity check for external CA

Ade Lee alee at redhat.com
Mon May 2 18:40:24 UTC 2016 

On Fri, 2016-04-22 at 16:37 -0500, Endi Sukma Dewata wrote:
> On 4/22/2016 2:37 PM, Ade Lee wrote:
> > commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
> > Author: Ade Lee <alee at redhat.com>
> > Date:   Fri Apr 22 15:31:43 2016 -0400
> > 
> >      Add validity check for the signing certificate in pkispawn
> > 
> >      When either an existing CA or external CA installation is
> >      performed, use the pki-server cert validation tool to check
> >      the signing certiticate and chain.
> > 
> >      Ticket #2043
> > 
> > commit 9104fdda145c4f2bbbedec7256c73922e8bffcef
> > Author: Ade Lee <alee at redhat.com>
> > Date:   Wed Apr 20 17:26:23 2016 -0400
> > 
> >      Add CLI to check system certificate status
> > 
> >      We add two different calls:
> >      1. pki client-cert-validate - which checks a certificate in
> > the client
> >         certdb and calls the System cert verification call
> > performed by JSS
> >        in the system self test.  This does some basic extensions
> > and trust
> >        tests, and also validates cert validity and cert trust
> > chain.
> > 
> >      2. pki-server subsystem-cert-validate  <subsystem>
> >         This calls pki client-cert-validate using the nssdb for the
> > subsystem
> >         on all of the system certificates by default (or just one
> > if the
> >         nickname is defined).
> > 
> >         This is a great thing to call when healthchecking an
> > instance,
> >         and also will be used by pkispawn to verify the signing
> > cert in the
> >         externally signed CA case.
> > 
> >      Trac Ticket 2043
> > 
> 
> In general it's ACKed. I have some minor comments/questions:
> 
> 1. The SubsystemCertificateVerifier probably should be renamed to 
> SystemCertificateVerifier since "system certificate" refers to a cert
> in 
> the subsystem/instance's NSS database and "subsystem certificate"
> could 
> be confused with the "subsystemCert cert-pki-tomcat".
> 
done

> 2. Instead of storing a shared SubsystemCertificateVerifier object in
> the PKIDeployer object it might be better to create a factory method,
> so 
> the verifier can be used like this:
> 
>    verifier = deployer.create_system_cert_verifier()
>    verifier.verify_certificate('signing')
> 
> That way the life-cycle of the verifier object will be short.
> 
done
> 3. The .classpath got changed to point to a local path on your
> machine.
> 
done
> 4. Is the "hardward-<token>" name used consistently in our code?
> 
>    passwd = instance.get_password("hardware-%s" % token)
> 

it should be for non-internal.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0298-1-Add-validity-check-for-the-signing-certificate-in-pk.patch
Type: text/x-patch
Size: 9647 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160502/9550a70f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0297-1-Add-CLI-to-check-system-certificate-status.patch
Type: text/x-patch
Size: 15722 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160502/9550a70f/attachment-0001.bin>

More information about the Pki-devel mailing list