On Sat, 2021-01-30 at 16:18 -0500, Andrew Dunstan wrote: > Making incremental additions to the certificate set easier wouldn't be a > bad thing. > > I wonder if we should really be setting 1 as the serial number, though. > Might it not be better to use, say, `date +%Y%m%d01` rather like we do > with catalog version numbers?
I have been experimenting a bit with both of these suggestions; hope to have something in time for commitfest on Monday. Writing new tests for NSS has run into the same problems you've mentioned. FYI, I've pulled the port->peer_dn functionality you've presented here into my authenticated identity patchset at [1]. --Jacob [1] https://www.postgresql.org/message-id/flat/c55788dd1773c521c862e8e0dddb367df51222be.camel%40vmware.com
