New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Add CRL/CKL dialog and errors #804
Comments
Comment from nkinder (@nkinder) at 2013-08-14 23:59:39 The issue here is that the CRL file can only be imported from the directory where the cert/key databases exist. This is mentioned in the on-line help page that is accessed by clicking on the "Help" button on the "Add CRL/CKL" dialog in Console. Here is what the help page states:
Only the filename for the CRL/CKL file should be specified in the console. An absolute or relative path does not work. We can improve the validation of the filename to present a more useful error message. We can also improve the text in the dialog so it is clear that you are supposed to only input a CRL/CKL filename that must exist in the certificate database location. There might still be other issues with CRL/CKL importing, as I am getting errors about an invalid CRL even when I use a correct filename. |
Comment from nkinder (@nkinder) at 2013-08-15 00:19:02 The security CGI expects the CRL file to be in PEM format (base64 encoded DER). I was previously trying to import a CRL in DER format, which triggered the "invalid CRL/CKL" message. The "Add CRL/CKL" dialog, on-line help page, and error message should be improved to make it clear that the expected format is PEM. |
Comment from nkinder (@nkinder) at 2013-08-15 00:36:26 Admin Server patch |
Comment from nkinder (@nkinder) at 2013-08-15 00:39:05 |
Comment from nkinder (@nkinder) at 2013-08-15 00:39:24 |
Comment from nkinder (@nkinder) at 2013-08-15 00:41:13 The attached Admin Server patch improves the error messages that are returned by the security CGI. I have attached screenshots that show these new error messages as displayed by Console. Additional changes are needed to 389-admin-console to improve the online-help, and idm-console-framework to improve the "Add CRL/CKL" dialog. |
Comment from nkinder (@nkinder) at 2013-08-15 03:00:10 idm-console-framework patch |
Comment from nkinder (@nkinder) at 2013-08-15 03:02:14 |
Comment from nkinder (@nkinder) at 2013-08-15 03:06:47 The attached IDM Console Framework patch improves the text on the "Add CRL/CKL" dialog. The new dialog can be see in the attached screenshot. |
Comment from nkinder (@nkinder) at 2013-08-15 03:14:22 389-admin-console patch |
Comment from nkinder (@nkinder) at 2013-08-15 03:15:09 The attached 389-admin-console patch improves the online help page that is accessed from the Console. |
Comment from nkinder (@nkinder) at 2013-08-15 04:19:58 Thanks to Noriko for her reviews! Patches pushed to master: Counting objects: 9, done. Counting objects: 19, done. Counting objects: 11, done. |
Comment from nhosoi (@nhosoi) at 2015-05-01 07:03:52 git patch file (adminserver master) -- additional fixes to the error messages |
Comment from rmeggins (@richm) at 2015-05-01 07:11:30 ack |
Comment from nhosoi (@nhosoi) at 2015-05-01 22:18:24 Thank you for reviewing the patch, Rich! Pushed to master: |
Comment from nkinder (@nkinder) at 2017-02-11 23:01:45 Metadata Update from @nkinder:
|
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47467
Description of problem:
Console provides a Manage certificates window for managing server certificates,
CA certificates and certificate revocation lists. A user should be able to
import CRL from Revoked Certs -> Add menu by specifying a path to CRL. This
currently does not work, even though CRL can be imported from command line.
Steps to Reproduce:
Make sure CA certificate is imported in certdb of DS
Obtain CRL in DER format:
[jrusnack@dstet ~]$ openssl crl -inform DER -in /myca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CZ/L=Brno/O=Redhat Inc.
Last Update: May 24 11:16:40 2013 GMT
Next Update: Jun 23 11:16:40 2013 GMT
CRL extensions:
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 01
Revocation Date: May 24 09:51:35 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
2c:01:5d:d4:ac:6d:bf:ce:6e:dd:55:52:30:4d:bc:57:b8:2b:
b5:32:ca:b2:e3:79:32:a4:04:33:82:56:fc:ab:41:74:7d:12:
5a:36:9b:be:b8:6d:86:e0:34:b4:cc:34:8e:05:41:38:3a:47:
e9:3d:e3:19:53:8d:a9:2e:7c:5c:f9:3e:0b:cb:78:71:d1:b9:
c7:d5:64:7b:64:52:76:e0:57:79:0e:2d:e5:1c:fe:22:e1:8f:
c6:4a:44:b2:bb:71:ea:63:3b:6e:14:38:01:8f:30:42:b2:a5:
95:d4:12:e1:34:9f:99:8d:bc:b3:09:8e:39:80:ac:e4:c1:f0:
84:fb:b1:76:79:30:64:80:e7:3f:c9:75:04:7d:df:76:56:23:
31:4e:ba:45:2d:00:58:85:e9:83:6c:66:c7:f0:0d:8b:91:4d:
c2:33:ef:aa:ca:00:12:a4:5c:77:da:a7:b5:91:78:88:c5:ae:
fd:3a:68:c0:74:cb:5a:f2:b8:04:cd:5d:9e:46:1f:95:fb:05:
55:09:61:09:b0:68:1e:81:82:fd:6a:cd:91:ca:1c:5d:e0:ad:
39:f9:c8:bb:a8:a5:3e:6a:22:23:69:51:2b:c7:64:97:29:ac:
9a:66:e5:1e:99:4c:d5:65:50:87:b8:5a:d4:db:9a:df:1a:9b:
8b:3a:44:4e
[jrusnack@dstet ~]$ ls -l /myca.crl
-rwxrwxrwx. 1 jrusnack jrusnack 621 May 24 12:07 /myca.crl
Try to import via console
Enter CRL/CLK file:
/myca.crl
File contain a Compromised Key List (CKL)
Error is returned "Could not open file /myca.crl. File does not exist or
filename is invalid.", see the attachment.
[jrusnack@dstet slapd-dstet]$ crlutil -I -d . -a -t 1 -i /myca.crl
Enter Password or Pin for "NSS Certificate DB":
All OK
imported CRL is present
Actual results:
Import of CRL via console should be successful
The text was updated successfully, but these errors were encountered: