Currently the CSRs of the system certificates are stored in CS.cfg:
ca.signing.certreq=...
This is currently necessary because the CSR may be needed in the future (e.g. for renewals). However, it may cause some maintenance issues. Sometimes the CSR could become outdated (due to rekeying) or get lost (ticket #1551). Also, the CSR can technically be regenerated using the existing key, so no need to store it in CS.cfg.
A new CLI can be provided to generate a CSR from an existing key. It will be similar to PKCS10Client except that it skips the key generation. The CLI can be called by the installation tool, thus simplifying the code. Any code that currently reads the CSR from CS.cfg will be changed to generate a new one using the CLI. Later an upgrade script can remove the CSR from existing CS.cfg.
Per CS/DS Meeting of 2016/01/25: 10.4
Are you planning to implement it in Java or in Python? python-cryptography now has necessary features to build certs: https://cryptography.io/en/latest/x509/reference/#x-509-certificate-builder
Metadata Update from @edewata: - Issue set to the milestone: UNTRIAGED
Possibly in Java since the key is stored in NSS database.
This will be useful to address this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1454444
Metadata Update from @edewata: - Custom field feature adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None
Metadata Update from @edewata: - Issue priority set to: critical (was: major) - Issue set to the milestone: FUTURE (was: UNTRIAGED)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2295
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.