Hi,
> I think i know what's causing the observed behaviour.
>
> The cert 013C522BCC6F5A2B.crt was first imported in realm xca. If i try to
> import the same cert into realm prodxca it fails with "Cert already exists",
> despite the fact, i specified different realms. import With update=1 changes
> the cert in realm xca, even if i specify realm=prodxca.
>
> If I have an issuer cert in realm xca and import a cert signed by this issuer
> in realm prodxca the cert will be imported into realm xca, the issuer's
> realm. this is described in Server/API2/Plugin/Cert/import_certificate.pm but
> I'm not sure I understand the reasons for it. I expected, the realms are
> separated, certificates are only visible in the specified realm. Certs
> without realm are visible to all realms.
>
> But pki_realm is not in the where clause, the check searches in all realms:
>
> # Check if the certificate is already in the PKI
> my $existing_cert = $dbi->select_one(
> from => 'certificate',
> columns => [ qw( identifier pki_realm status req_key ) ],
> where => { identifier => $cert_identifier },
> );
>
> I quickly scanned the code and found more statements without pki_realm in the
> where clause, so it seems to be a design decision. Why are the certificates
> not separated by pki_realm?
You are correct, this is a design decision which incidentally I personally made
around 2006 IIRC. The basic idea is that a certain certificate is unique, and
hence should only be present in the database once. We actually enforce this by
setting a unique index on the certificate identifier on the certificate table.
For end entity certificates I believe there is no case where this is actually a
problem, in most cases OpenXPKI itself (or a remote issuer) issues the
certificate which should by definition be unique.
However, there are cases where certificates from one PKI Realm is needed in
another PKI Realm. In almost any case I can think of this will be a CA
certificate, e. g. for building the certificate chain.
In order to cater for situations where a particular certificate existing in a
different realm is needed in another realm, we introduced the idea of an alias.
An alias is a named reference to an arbitrary certificate in any local PKI
Realm. By setting an alias in the PKI Realm to a certificate in a different PKI
Realm, you effectively allow the realm containing the alias to use the
referenced certificate, and without violating the uniqueness requirement.
You are obviously trying to migrate existing data from an existing setup. The
problems you encounter stem from conflicting imports into another PKI Realm. My
recommendation is to work on a clean setup and avoid "fiddling with data" (this
will also make sure that the resulting system is in a sane state). Once you are
confident, perform this operation as a one-off import in the actual production
environment. (This is how we do migrations of existing environments with our
own tool set, anyway.)
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
