PR#11: SAML2 cert improvements - ipsilon

ipsilon

#11 SAML2 cert improvements

Opened 8 years ago by dkelson. Modified 7 years ago

dkelson/ipsilon master into master

Bump the self-signed cert expiration to 10 years from 5

Dax Kelson • 8 years ago

a7c42f5

Display the cert fingerprint on generation

Dax Kelson • 8 years ago

039dad8

ipsilon/tools/certs.py

file modified

+7 -1

		`@@ -21,11 +21,17 @@`
		`self.cert = os.path.join(self.path, '%s.pem' % prefix)`
		`self.subject = '/CN=%s' % subject`
		`command = ['openssl',`
		`- 'req', '-x509', '-batch', '-days', '1825',`
		`+ 'req', '-x509', '-batch', '-days', '3650',`
alert("boo! (puiterwijk was here)"); Uiterwijk (puiterwijk)">puiterwijk commented 8 years ago Just wondering why this change? I think we should not encourage people to keep certificates for 10 years. If someone really wants to use a certificate that's valid for 10 years, I would suggest them to generate it themselves outside of Ipsilon.
bowlofeggs commented 7 years ago I agree with @puiterwijk here.
		`'-newkey', 'rsa:2048', '-nodes', '-subj', self.subject,`
		`'-keyout', self.key, '-out', self.cert]`
		`proc = Popen(command)`
		`proc.wait()`
		`+ # show the sysadmin the cert fingerprint, needed by some SPs`
alert("boo! (puiterwijk was here)"); Uiterwijk (puiterwijk)">puiterwijk commented 8 years ago I'm not entire sure this is useful, since the time when people need this (when configuring the SP in Ipsilon), they most likely have already closed the terminal they ran ipsilon-client-installer in, and they will need to get this information the manual way again. I think it would be more useful to just document this somewhere.
		`+ print 'ipsilon SAML2 Public Key'`
		`+ command = ['openssl', 'x509', '-in', self.cert, '-noout',`
		`+ '-fingerprint']`
		`+ proc = Popen(command)`
		`+ proc.wait()`

		`def import_cert(self, certfile, keyfile):`
		`self.cert = certfile`

no initial comment

puiterwijk commented on line 11 of ipsilon/tools/certs.py 8 years ago

I'm not entire sure this is useful, since the time when people need this (when configuring the SP in Ipsilon), they most likely have already closed the terminal they ran ipsilon-client-installer in, and they will need to get this information the manual way again.

I think it would be more useful to just document this somewhere.

puiterwijk commented on line 6 of ipsilon/tools/certs.py 8 years ago

Just wondering why this change? I think we should not encourage people to keep certificates for 10 years.

If someone really wants to use a certificate that's valid for 10 years, I would suggest them to generate it themselves outside of Ipsilon.

bowlofeggs commented on line 6 of ipsilon/tools/certs.py 7 years ago

I agree with @puiterwijk here.