[Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct
Rob Crittenden
rcritten at redhat.com
Tue Aug 23 20:24:47 UTC 2011
Jan Cholasta wrote:
> On 23.8.2011 15:36, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 18.8.2011 17:47, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> On 17.8.2011 10:27, Jan Cholasta wrote:
>>>>>> Verify that --external_cert_file and --external_ca_file are both
>>>>>> readable, valid PEM files and that their subject/issuer is correct.
>>>>>>
>>>>>> Also fixes ipalib.x509.load_certificate_from_file.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/1572
>>>>>>
>>>>>> Honza
>>>>>>
>>>>>
>>>>> Patch attached.
>>>>
>>>> nack, but this is very close.
>>>>
>>>> If the CA is a chain the signing check may fail if the first cert isn't
>>>> the one that signed the CSR. You need to check all CA certs in the
>>>> file.
>>>>
>>>> rob
>>>
>>> Fixed.
>>>
>>> Honza
>>>
>>
>> Nice, I really like the way you import the cert chain.
>>
>> One more small request. When a failure occurs can you print more detail
>> on why? For example, we mandate that the subject of the CA cert be
>> CN=Certificate Authority,<subject_base>. Can you include what we expect
>> if this fails? Similarly when reviewing the cert chain display can you
>> show what CA is missing?
>>
>> rob
>
> Updated patch attached.
>
> Honza
>
ack, pushed to master and ipa-2-1
More information about the Freeipa-devel
mailing list