Acked by me. Pushed to master. On Thu, 2016-02-25 at 16:17 -0600, Endi Sukma Dewata wrote: > Currently JSS is unable to import CA certificates while preserving > their nicknames. As a workaround, the pki pkcs12-import has been > modified such that it exports individual CA certificates from PKCS > The remaining user certificates will continue to be imported using > JSS. > > A new pki pkcs12-cert-export command has been added to export > individual certificates from PKCS #12 file into PEM files. > > The pki pkcs12-import has been modified to take a list of nicknames > of the certificates to be imported into NSS database. > > https://fedorahosted.org/pki/ticket/1742 > > Note: > > This patch depends on patch #690 and #691. > > This patch completes the fix of this ticket as described in the > following page except for the third-party certificate handling (see > discussion below): > http://pki.fedoraproject.org/wiki/Exporting_System_Certificates > > To test this patch, install a CA with externally signed CA: > http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed > _CA_Certificate > > Then clone the CA: > http://pki.fedoraproject.org/wiki/Installing_CA_Clone > > Verify that the certificates on the master and replica are identical > including their nicknames. > > To handle proxy certificate for IPA, we can either implement the > cs.thirdparty.cert properties as described in the above page, but IPA > would have to add the properties during the installation. Also IPA > would > have to add the properties to all existing installations. Then IPA > needs > to call pki-server ca-clone-prepare to export the certificates for > cloning. If the properties exist, the command will need to export the > third-party certificates into the PKCS #12 file along with other CA > certs. Then IPA will need to add the same properties into the clone. > > Or, IPA can manage the proxy certificate themselves. Since IPA has > already added the proxy cert into master, IPA can also add the proxy > cert into the PKCS #12 file generated by pki-server ca-clone-prepare > using this command: > > pki -d /var/lib/pki/pki-tomcat/alias -C nssdb-password.txt \ > pkcs12-cert-add "subsystemCert cert-pki-tomcat" \ > --pkcs12 pki-server.p12 \ > --pkcs12-password-file password.txt > > With the second option there's no further changes required in PKI. > > _______________________________________________ > Pki-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
