Jan Cholasta wrote:
On 23.8.2011 15:36, Rob Crittenden wrote:
Jan Cholasta wrote:
On 18.8.2011 17:47, Rob Crittenden wrote:
Jan Cholasta wrote:
On 17.8.2011 10:27, Jan Cholasta wrote:
Verify that --external_cert_file and --external_ca_file are both
readable, valid PEM files and that their subject/issuer is correct.
Also fixes ipalib.x509.load_certificate_from_file.
https://fedorahosted.org/freeipa/ticket/1572
Honza
Patch attached.
nack, but this is very close.
If the CA is a chain the signing check may fail if the first cert isn't
the one that signed the CSR. You need to check all CA certs in the
file.
rob
Fixed.
Honza
Nice, I really like the way you import the cert chain.
One more small request. When a failure occurs can you print more detail
on why? For example, we mandate that the subject of the CA cert be
CN=Certificate Authority,<subject_base>. Can you include what we expect
if this fails? Similarly when reviewing the cert chain display can you
show what CA is missing?
rob
Updated patch attached.
Honza
ack, pushed to master and ipa-2-1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel