#11 SAML2 cert improvements
Opened 4 years ago by dkelson. Modified 2 years ago
dkelson/ipsilon master  into  master

file modified
+7 -1

@@ -21,11 +21,17 @@ 

          self.cert = os.path.join(self.path, '%s.pem' % prefix)

          self.subject = '/CN=%s' % subject

          command = ['openssl',

-                    'req', '-x509', '-batch', '-days', '1825',

+                    'req', '-x509', '-batch', '-days', '3650',

Just wondering why this change? I think we should not encourage people to keep certificates for 10 years.

If someone really wants to use a certificate that's valid for 10 years, I would suggest them to generate it themselves outside of Ipsilon.

I agree with @puiterwijk here.

                     '-newkey', 'rsa:2048', '-nodes', '-subj', self.subject,

                     '-keyout', self.key, '-out', self.cert]

          proc = Popen(command)

          proc.wait()

+ 	# show the sysadmin the cert fingerprint, needed by some SPs

I'm not entire sure this is useful, since the time when people need this (when configuring the SP in Ipsilon), they most likely have already closed the terminal they ran ipsilon-client-installer in, and they will need to get this information the manual way again.

I think it would be more useful to just document this somewhere.

+ 	print 'ipsilon SAML2 Public Key'

+         command = ['openssl', 'x509', '-in', self.cert, '-noout',

+                    '-fingerprint']

+ 	proc = Popen(command)

+ 	proc.wait()

  

      def import_cert(self, certfile, keyfile):

          self.cert = certfile

no initial comment

I'm not entire sure this is useful, since the time when people need this (when configuring the SP in Ipsilon), they most likely have already closed the terminal they ran ipsilon-client-installer in, and they will need to get this information the manual way again.

I think it would be more useful to just document this somewhere.

Just wondering why this change? I think we should not encourage people to keep certificates for 10 years.

If someone really wants to use a certificate that's valid for 10 years, I would suggest them to generate it themselves outside of Ipsilon.

Is this PR still relevant?

Metadata