New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for installation with custom keys (PKI 10.5) #37
Conversation
My review is only on looking through the provided docs and comments. Overall it looks fine. Some we have discussed over irc:
|
Thanks for the feedback. The pki_pin has been renamed to pki_server_database_password (for consistency with the existing pki_client_database_password). The docs have been updated to use the new parameter name. The docs will now be included in the pki-server package and will be installed locally in /usr/share/pki/server/docs folder. As discussed on IRC, it's too difficult right now to move the nickname parameters into step 2 since there are files generated in step 1 that contains the nicknames, so the correct nicknames have to be specified in step 1. We may revisit this issue in the future. |
The pki.nssdb module has been modified to support both standard and legacy CSR delimiters as defined in RFC 7468. https://pagure.io/dogtagpki/issue/3053 Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7
The default.cfg has been modified to remove default CSR paths. The verify_predefined_configuration_file_data() has been modified to no longer require CSR path parameters in the first step of external CA scenario. https://pagure.io/dogtagpki/issue/3053 Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2
The installation code has been modified to import custom CSRs for KRA and OCSP system certicates if provided. The CA installation already supports this functionality. https://pagure.io/dogtagpki/issue/3053 Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188
The pkispawn has been modified to display the proper message for installation with custom keys where the CSRs will not be generated. https://pagure.io/dogtagpki/issue/3053 Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c
The NSSDatabase.add_cert() has been modified to accept both single certificates and PKCS dogtagpki#7 certificate chains in PEM format. The pki client-cert-import has been modified to support importing CA cert chain in PKCS dogtagpki#7 format. The Cert.parseCertificate() has been modified to parse PKCS dogtagpki#7 cert chain properly. https://pagure.io/dogtagpki/issue/3053 Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1
The following parameters have been renamed for consistency: * pki_database_path -> pki_server_database_path * pki_pin -> pki_server_database_password The old parameters are still usable but they have been deprecated. The pki_client_pin is redundant so it has been removed. https://pagure.io/dogtagpki/issue/3053 Change-Id: I243a01b360f573a16a160e9a415f786e38681603
Previously the NSS database passwords were generated in pkiparser.py. Under certain scenarios the password may be overwritten by a subsequent code in pkispawn. To avoid the problem the code that generates the NSS database passwords has been moved into the initialization scriptlet. https://pagure.io/dogtagpki/issue/3061 Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb
The pki-server subsystem-cert-validate CLI has been modified to show the actual message generated by NSS if the validation fails.
https://pagure.io/dogtagpki/issue/3053 Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5
These patches provide a mechanism to install CA, KRA, and OCSP with custom keys. This mechanism works similar to the "external CA" scenario, but in step 1 pkispawn will not generate keys and CSRs. The admin is expected to generate or import the keys into the server's NSS database, and also supply the CSRs and certificates. In step 2 pkispawn will import the CSRs and certificates to complete the installation.
The documentation can be reviewed here:
https://github.com/edewata/pki/tree/v10.5-3053/base/server/docs/installation
https://pagure.io/dogtagpki/issue/3053