The following default nicknames reside under the [DEFAULT] section, and are PKI instance specific (e. g. - for all PKI subsystems that are part of a shared PKI instance):
[DEFAULT] pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
Additionally, the following default nicknames are PKI instance subsystem specific:
[CA] pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA [KRA] pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA [OCSP] pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP [TKS] pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS [TPS] pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
In deployments which utilize multiple default named instances (many of which are clones) and an HSM, a number of the PKI instance-specific certificate nicknames may "collide" on a shared HSM partition resulting in making it difficult to know which certificate goes with which instance.
This ticket has been created to consider potentially better default names for these nicknames when a deployment chooses to only use the default instance name for all of its instances.
The new nicknames should avoid conflicts and also should be less cryptic. See ticket #432.
Per CS/DS Meeting of 10/12/2015 - 10.3
This change will be noticeable during normal QE testing, and thus does not require its own unique Bugzilla Bug.
Duplicate of PKI TRAC Ticket #432 - Certificate nickname improvement
Metadata Update from @mharmsen: - Issue assigned to mharmsen - Issue set to the milestone: 10.3.2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2204
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.