[Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch
Christina Fu
cfu at redhat.com
Sat May 20 00:31:37 UTC 2017
This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to
process pre-signed CMC renewal cert requests
Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to
process pre-signed CMC renewal requests. In the world of CMC, renewal
request are full CMC requests that are signed by previously issued
signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert
with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same
key shared by a revoked certificate. It also saves the origNotAfter of
the newest certificate sharing the same key in the request to be used by
the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have
both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be
placed in the correct order. By default in the UniqueKeyConstraint the
constraint parameter allowSameKeyRenewal=true.
Thanks,
Christina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170519/b47937b8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Ticket-2618-feature-pre-signed-CMC-renewal-request.patch
Type: text/x-patch
Size: 18384 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170519/b47937b8/attachment.bin>
More information about the Pki-devel
mailing list