On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote:
> The patch itself is fine.
>
> I'm just struggling with where this script should exist.
>
> pki-server ca-cert-db-upgrade seems like an awfully generic description
> for this operation - which basically provides a very specific db
>
Hi team,
Attached patch implements https://fedorahosted.org/pki/ticket/1618
(Lightweight CAs: include Issuer DN and Serial in AuthorityData).
If ACKed and we want to kick off builds of 10.3.0, please go ahead
and merge it, otherwise I'll merge it on Monday morning.
Cheers,
Fraser
From
On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote:
> The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
> It will result in better error messages and help users to diagnose
> bad profile configurations (especially with IPA).
>
> Thanks,
> Fraser
>
Acked by alee
Took a look at this.
Seems pretty good, so ACK, with a concern or two.
I think we might want to consider seeing if we can somehow short circuit
the display to something that won't let them send to the server, when we
know we don't even have the keygen tag available.
So if tested to work with
While testing chrome, we discovered that (a) keygen would soon not be
supported:
*
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack
(b) although keygen is still supported, it has been disabled by default
with a workaround provided to re-enable it:
*
Ticket #1641 Enhance tkstool for capabilities and security
The key is now generated with the flags needed to keep the data from being
displayed
with simple tools such as symkeyutil.
As per cfu's instructions,
I was able to test this with the nethsm only.
I also was able to make the key des3
On 5/11/2016 7:20 PM, Endi Sukma Dewata wrote:
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
The ConfigurationUtils.handleCertRequest() has been modified to
throw an exception on error
On 5/11/2016 9:04 PM, Matthew Harmsen wrote:
ACK
Thanks! Pushed to master.
--
Endi S. Dewata
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Acked by Endi. Pushed to master.
On Wed, 2016-05-11 at 23:11 -0400, Ade Lee wrote:
> commit 5efd691e71f32b350737d95fe08f470164e60192
> Author: Ade Lee
> Date: Thu May 12 00:35:41 2016 +0200
>
> Fix existing ca setup to work with HSM
>
> If the existing CA keys