#30 Be able to receive multiple certificates during issuance
Opened 9 years ago by nalin. Modified 2 years ago

In deployments where the CA we're using is a subordinate of another, the CA might provide a dedicated interface for reading its chain, or it might not. If it only provides the chain when issuing certificates (for example, by providing multiple certificates wrapped up in a PKCS#7 signed-data item), we need to be able to sift through that soup, extract the certificate that matches the public key in our request, and sort the rest of the certificates in a suitable chain order.


Metadata Update from @nalin:
- Issue set to the milestone: 0.76

7 years ago

With FreeIPA, for instance, the certificates retrieved from the CA include all the certificates added to the domain with 'ipa-cacert-manage install'; so if your FreeIPA CA's is a subordinate CA, you get:

  • The subordinate CA certificate (which you want)
  • The root CA certificate which signed the subordinate (which you don't want)
  • Any other root CA certificates added to the domain (which you don't want)

Are you talking about with the -F/-a options to retrieve the CA chain?

I think that is a different issue.

NSS generally wants the entire chain and not just the signing CA, in order for trust to work.

Metadata Update from @rcritten:
- Issue close_status updated to: None

2 years ago

Login to comment on this ticket.

Metadata