Dogtag CA complies with standards by evaluating issuer and subject names in their canonical forms. Unfortunately most of the cryptographic libraries are validating certificates by processing encoded names instead of names in their canonical forms. This information has been confirmed with our crypto group. Lack of proper name processing by cryptographic libraries during certificate validation resulted in CA cross signing issue reported in ticket #448.
To solve this issue Dogtag CA has two options:
Dogtag CA:
This ticket is designated to cover work associated with building new profile for CA cross signing enrollment.
attachment CA-cross-signing-profile.patch
attachment Pre-registration-of-CA-cross-signing-profile.patch
git push Counting objects: 14, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (8/8), 1.67 KiB, done. Total 8 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git b76fddf..2a58ffc master -> master
git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 679 bytes, done. Total 7 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git 2a58ffc..bc2df10 master -> master
Testing procedure is provided in https://fedorahosted.org/pki/ticket/448#comment:11
Metadata Update from @awnuk: - Issue assigned to awnuk - Issue set to the milestone: 10.1 - 08/13 (August)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1250
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.