These tests would be run at the beginning of the install, and certainly with the dry_run option. They answer basic questions like:
-- is the cert/chain in the correct/readable format? (is it parseable?) -- does it have the correct extensions? microsoft specific extensions? -- restrictions on key size etc? -- is the chain complete?
This way we can fail fast if the externally signed cert and chain is not valid.
[alee@aleeredhat pki]$ git cherry-pick f8e6d684f6a24a4ea52e1fcf9d81e1b9ef96ccca [master 5546024] Add CLI to check system certificate status Date: Wed Apr 20 17:26:23 2016 -0400 4 files changed, 315 insertions(+) create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java [alee@aleeredhat pki]$ git cherry-pick 537828983b11d1b26c5b1b140e79eaa45a06c63a [master 29cee52] Add validity check for the signing certificate in pkispawn Date: Fri Apr 22 15:31:43 2016 -0400 2 files changed, 68 insertions(+), 15 deletions(-) [alee@aleeredhat pki]$ git push origin master Counting objects: 29, done. Delta compression using up to 8 threads. Compressing objects: 100% (23/23), done. Writing objects: 100% (29/29), 5.82 KiB | 0 bytes/s, done. Total 29 (delta 18), reused 0 (delta 0) To ssh://vakwetu@git.fedorahosted.org/git/pki.git 6d37d95..29cee52 master -> master
If the cert validation tool is run after external CA installation step 1 it will ask for a password and then fail:
$ pki-server subsystem-cert-validate ca Enter password for hardware-None: ... TypeError: execv() arg 2 must contain only strings
This is probably because by default the CA's CS.cfg uses 'internal' token name:
ca.ocsp_signing.tokenname=internal
and OCSP's CS.cfg too:
ocsp.signing.tokenname=internal
but the following code in SubsystemCertValidateCLI only checks for 'Internal Key Storage Token':
# get token password and store in temporary file if token == 'Internal Key Storage Token': passwd = instance.get_password('internal') else: passwd = instance.get_password("hardware-%s" % token)
and
if token != 'Internal Key Storage Token': cmd.extend(['--token', token])
Since both 'Internal Key Storage Token' and 'internal' are valid names for internal token, the code should check for both names.
Additional fix in master:
Metadata Update from @vakwetu: - Issue assigned to vakwetu - Issue set to the milestone: 10.3.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2331
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.