ChenSammi commented on PR #5163: URL: https://github.com/apache/ozone/pull/5163#issuecomment-1720414751
> I had one doubt about managing the certificate ID selection via the protocol, and I am still not convinced that it is necessary for SCMs... Isn't the sequence id updated via raft, once someone gets one? If so, and because all SCMs are signing their certificates with the leader/special node (at the first bootstrap), I have a feeling that we might not need to push this through a protocol call and we can assign the next id during signing a certificate. > > Do I miss something? I probably am, but I really would like to understand why we need the SCMs to have a cert serial ID before signing the cert from the SCM that signs the cert? At least this is my understanding of the code so far. @fapifta , It's because the serial ID is used when constructing the subject of each service, like scm-sub-$ID, otherwise the old and new certificate will always have the same subject. This subject is constructed by DN/OM/RECON itself, and is included in the PKCS10CertificationRequest, which is passed to SCM later The first code edition I tried, was trying to extract the subject name from PKCS10CertificationRequest, update it, and reset the subject in PKCS10CertificationRequest with the new value. But soon I found it's hard to do that because the PKCS10CertificationRequest is not mutable. So that's why the current solution is used. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
