Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote: > The patch itself is fine. > > I'm just struggling with where this script should exist. > > pki-server ca-cert-db-upgrade seems like an awfully generic description > for this operation - which basically provides a very specific db >

[Pki-devel] [PATCH] 0108 Lightweight CAs: add issuer DN and serial to AuthorityData

Hi team, Attached patch implements https://fedorahosted.org/pki/ticket/1618 (Lightweight CAs: include Issuer DN and Serial in AuthorityData). If ACKed and we want to kick off builds of 10.3.0, please go ahead and merge it, otherwise I'll merge it on Monday morning. Cheers, Fraser From

Re: [Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote: > The attached patch fixes https://fedorahosted.org/pki/ticket/2317. > It will result in better error messages and help users to diagnose > bad profile configurations (especially with IPA). > > Thanks, > Fraser > Acked by alee

Re: [Pki-devel] [PATCH] Added Chrome keygen warning

Took a look at this. Seems pretty good, so ACK, with a concern or two. I think we might want to consider seeing if we can somehow short circuit the display to something that won't let them send to the server, when we know we don't even have the keygen tag available. So if tested to work with

[Pki-devel] [PATCH] Added Chrome keygen warning

While testing chrome, we discovered that (a) keygen would soon not be supported: * https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack (b) although keygen is still supported, it has been disabled by default with a workaround provided to re-enable it: *

Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

Ticket #1641 Enhance tkstool for capabilities and security The key is now generated with the flags needed to keep the data from being displayed with simple tools such as symkeyutil. As per cfu's instructions, I was able to test this with the nethsm only. I also was able to make the key des3

Re: [Pki-devel] [PATCH] 744-745 Fixed missing CSR extensions for external CA case.

On 5/11/2016 7:20 PM, Endi Sukma Dewata wrote: The deployment tool has been modified to generate CSR with basic constraints and key usage extensions for the externally-signed CA signing certificate. The ConfigurationUtils.handleCertRequest() has been modified to throw an exception on error

Re: [Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.

On 5/11/2016 9:04 PM, Matthew Harmsen wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] fix for existing CA for HSM

Acked by Endi. Pushed to master. On Wed, 2016-05-11 at 23:11 -0400, Ade Lee wrote: > commit 5efd691e71f32b350737d95fe08f470164e60192 > Author: Ade Lee > Date: Thu May 12 00:35:41 2016 +0200 > > Fix existing ca setup to work with HSM > > If the existing CA keys