Improve Add CRL/CKL dialog and errors #804
Comments
|
Comment from nkinder (@nkinder) at 2013-08-14 23:59:39 The issue here is that the CRL file can only be imported from the directory where the cert/key databases exist. This is mentioned in the on-line help page that is accessed by clicking on the "Help" button on the "Add CRL/CKL" dialog in Console. Here is what the help page states:
Only the filename for the CRL/CKL file should be specified in the console. An absolute or relative path does not work. We can improve the validation of the filename to present a more useful error message. We can also improve the text in the dialog so it is clear that you are supposed to only input a CRL/CKL filename that must exist in the certificate database location. There might still be other issues with CRL/CKL importing, as I am getting errors about an invalid CRL even when I use a correct filename. |
|
Comment from nkinder (@nkinder) at 2013-08-15 00:19:02 The security CGI expects the CRL file to be in PEM format (base64 encoded DER). I was previously trying to import a CRL in DER format, which triggered the "invalid CRL/CKL" message. The "Add CRL/CKL" dialog, on-line help page, and error message should be improved to make it clear that the expected format is PEM. |
|
Comment from nkinder (@nkinder) at 2013-08-15 00:36:26 Admin Server patch |
|
Comment from nkinder (@nkinder) at 2013-08-15 00:39:05 Screenshot (CRL path error) |
|
Comment from nkinder (@nkinder) at 2013-08-15 00:39:24 Screenshot (CRL format error) |
|
Comment from nkinder (@nkinder) at 2013-08-15 00:41:13 The attached Admin Server patch improves the error messages that are returned by the security CGI. I have attached screenshots that show these new error messages as displayed by Console. Additional changes are needed to 389-admin-console to improve the online-help, and idm-console-framework to improve the "Add CRL/CKL" dialog. |
|
Comment from nkinder (@nkinder) at 2013-08-15 03:00:10 idm-console-framework patch |
|
Comment from nkinder (@nkinder) at 2013-08-15 03:02:14 Screenshot (CRL Dialog) |
|
Comment from nkinder (@nkinder) at 2013-08-15 03:06:47 The attached IDM Console Framework patch improves the text on the "Add CRL/CKL" dialog. The new dialog can be see in the attached screenshot. |
|
Comment from nkinder (@nkinder) at 2013-08-15 03:14:22 389-admin-console patch |
|
Comment from nkinder (@nkinder) at 2013-08-15 03:15:09 The attached 389-admin-console patch improves the online help page that is accessed from the Console. |
|
Comment from nkinder (@nkinder) at 2013-08-15 04:19:58 Thanks to Noriko for her reviews! Patches pushed to master: Counting objects: 9, done. Counting objects: 19, done. Counting objects: 11, done. |
|
Comment from nhosoi (@nhosoi) at 2015-05-01 07:03:52 git patch file (adminserver master) -- additional fixes to the error messages |
|
Comment from rmeggins (@richm) at 2015-05-01 07:11:30 ack |
|
Comment from nhosoi (@nhosoi) at 2015-05-01 22:18:24 Thank you for reviewing the patch, Rich! Pushed to master: |
|
Comment from nkinder (@nkinder) at 2017-02-11 23:01:45 Metadata Update from @nkinder:
|
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47467
Description of problem:
Console provides a Manage certificates window for managing server certificates,
CA certificates and certificate revocation lists. A user should be able to
import CRL from Revoked Certs -> Add menu by specifying a path to CRL. This
currently does not work, even though CRL can be imported from command line.
Steps to Reproduce:
Make sure CA certificate is imported in certdb of DS
Obtain CRL in DER format:
[jrusnack@dstet ~]$ openssl crl -inform DER -in /myca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CZ/L=Brno/O=Redhat Inc.
Last Update: May 24 11:16:40 2013 GMT
Next Update: Jun 23 11:16:40 2013 GMT
CRL extensions:
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 01
Revocation Date: May 24 09:51:35 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
2c:01:5d:d4:ac:6d:bf:ce:6e:dd:55:52:30:4d:bc:57:b8:2b:
b5:32:ca:b2:e3:79:32:a4:04:33:82:56:fc:ab:41:74:7d:12:
5a:36:9b:be:b8:6d:86:e0:34:b4:cc:34:8e:05:41:38:3a:47:
e9:3d:e3:19:53:8d:a9:2e:7c:5c:f9:3e:0b:cb:78:71:d1:b9:
c7:d5:64:7b:64:52:76:e0:57:79:0e:2d:e5:1c:fe:22:e1:8f:
c6:4a:44:b2:bb:71:ea:63:3b:6e:14:38:01:8f:30:42:b2:a5:
95:d4:12:e1:34:9f:99:8d:bc:b3:09:8e:39:80:ac:e4:c1:f0:
84:fb:b1:76:79:30:64:80:e7:3f:c9:75:04:7d:df:76:56:23:
31:4e:ba:45:2d:00:58:85:e9:83:6c:66:c7:f0:0d:8b:91:4d:
c2:33:ef:aa:ca:00:12:a4:5c:77:da:a7:b5:91:78:88:c5:ae:
fd:3a:68:c0:74:cb:5a:f2:b8:04:cd:5d:9e:46:1f:95:fb:05:
55:09:61:09:b0:68:1e:81:82:fd:6a:cd:91:ca:1c:5d:e0:ad:
39:f9:c8:bb:a8:a5:3e:6a:22:23:69:51:2b:c7:64:97:29:ac:
9a:66:e5:1e:99:4c:d5:65:50:87:b8:5a:d4:db:9a:df:1a:9b:
8b:3a:44:4e
[jrusnack@dstet ~]$ ls -l /myca.crl
-rwxrwxrwx. 1 jrusnack jrusnack 621 May 24 12:07 /myca.crl
Try to import via console
Enter CRL/CLK file:
/myca.crl
File contain a Compromised Key List (CKL)
Error is returned "Could not open file /myca.crl. File does not exist or
filename is invalid.", see the attachment.
[jrusnack@dstet slapd-dstet]$ crlutil -I -d . -a -t 1 -i /myca.crl
Enter Password or Pin for "NSS Certificate DB":
All OK
imported CRL is present
Actual results:
Import of CRL via console should be successful
The text was updated successfully, but these errors were encountered: