[Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

[Christina Fu]

pushed to master:

commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb

thanks,

Christina


On 05/19/2017 06:36 PM, John Magne wrote:
> ACK:
>
> Just make sure these changed constraints don't have any negative effect on existing profiles that use those constraints..
>
> ----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-devel at redhat.com
> Sent: Friday, May 19, 2017 5:31:37 PM
> Subject: [Pki-devel] [PATCH]	Ticket-2618-feature-pre-signed-CMC-renewal-request.patch
>
>
>
> This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed CMC renewal cert requests
>
> Ticket#2618 feature: pre-signed CMC renewal request
>
> This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
> The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
> UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint.
> The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
>
>
> Thanks,
>
> Christina
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170522/5b9b3a22/attachment.htm>