[Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct
Jan Cholasta
jcholast at redhat.com
Tue Aug 23 15:55:42 UTC 2011
On 23.8.2011 15:36, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 18.8.2011 17:47, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 17.8.2011 10:27, Jan Cholasta wrote:
>>>>> Verify that --external_cert_file and --external_ca_file are both
>>>>> readable, valid PEM files and that their subject/issuer is correct.
>>>>>
>>>>> Also fixes ipalib.x509.load_certificate_from_file.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/1572
>>>>>
>>>>> Honza
>>>>>
>>>>
>>>> Patch attached.
>>>
>>> nack, but this is very close.
>>>
>>> If the CA is a chain the signing check may fail if the first cert isn't
>>> the one that signed the CSR. You need to check all CA certs in the file.
>>>
>>> rob
>>
>> Fixed.
>>
>> Honza
>>
>
> Nice, I really like the way you import the cert chain.
>
> One more small request. When a failure occurs can you print more detail
> on why? For example, we mandate that the subject of the CA cert be
> CN=Certificate Authority,<subject_base>. Can you include what we expect
> if this fails? Similarly when reviewing the cert chain display can you
> show what CA is missing?
>
> rob
Updated patch attached.
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-41.2-external-ca-verify.patch
Type: text/x-patch
Size: 5404 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110823/8e2354c9/attachment.bin>
More information about the Freeipa-devel
mailing list