This enhancement is needed because of https://fedorahosted.org/pki/ticket/1074. We will be running a KRA and we don't want people to get encryption certs if their private key can't be escrowed.
Since mozilla removed needed functionality for browsers to do this and the current solution is to use the CLI tools we would like to be able to hide the profile in the browser but let CLI tools use it, since the former won't be escrowed and the later will.
FWIW, I tried pki against a visible=false enable=true profile because that approximates the functionlaty we'd like to see and it bombed with "Profile not marked as visible".
Per CS/DS Meeting of 6/29/2015: 10.2.6 (should allow enabled profiles to work, even if not visible)
Having looked at this I have found the following:
In the "Dual Use Certificate" form, the javascript code uses the crypto.generateCRMFRequest call even for the dual use case that does NOT use archival. This of course only shows up when the user HAS the cryto object. When the user does not have the crypto object, it defaults to a bare bones RSA method using the basic "keygen" tag.
I have done some experimenting and it appears the keygen tag can handle ECC, and I was able to hard code an example with ECC and nistp256, and the dogtag server accepted it and used it just fine.
The next step is to figure out how to have the user select the key type either ECC or RSA with the keygen tag. I suspect that the the choices of curves will be bare bones because keygen only supports "medium strength" and "high strength" in the mozilla version. That is to be determined though. I now have to figure out how to pipe the result of the keytype dropdown INTO the keygen tag.
Ooops, previous comment was for another ticket, disregard.
Patch ACKd and pushed:
commit b253cad196f57e79a5aede53aceffede1c9edfbe Author: Jack Magne jmagne@localhost.localdomain Date: Wed Jul 1 15:01:45 2015 -0700
Ability to toggle profile usablity in Web vs CLI tools. Ticket #1442. This fix gives the command line enrollment commands the ability to enroll a cert against a profile that has been marked as not visible but "enabled". With the simple fix the following scenarios tested to work: The "caUserCert" Profile was marked as not visible, but enabled. 1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne This is the simplest form of user cert enrollment. 2. pki ca-cert-request-profile-show caUserCert --output testuser.xml pki ca-cert-request-submit testuser.xml The first command gives us the profile's xml file, which after modification is used to enroll. 3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert This one shows that we can view the contents of a non visible profile. Listing is not allowed. We felt this appropiate to allow a command line user to get the details of a non visible profile that they know aobut and want to use.
Metadata Update from @dminnich: - Issue assigned to jmagne - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2002
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.