Issue #1645: Consider better default values for certificate nicknames - dogtagpki

dogtagpki

#1645 Consider better default values for certificate nicknames

Closed: Duplicate None Opened 8 years ago by mharmsen.

The following default nicknames reside under the [DEFAULT] section, and are PKI instance specific (e. g. - for all PKI subsystems that are part of a shared PKI instance):

[DEFAULT]
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s

Additionally, the following default nicknames are PKI instance subsystem specific:

[CA]
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
[KRA]
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
[OCSP]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
[TKS]
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
[TPS]
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS

In deployments which utilize multiple default named instances (many of which are clones) and an HSM, a number of the PKI instance-specific certificate nicknames may "collide" on a shared HSM partition resulting in making it difficult to know which certificate goes with which instance.

This ticket has been created to consider potentially better default names for these nicknames when a deployment chooses to only use the default instance name for all of its instances.

edewata commented 8 years ago

The new nicknames should avoid conflicts and also should be less cryptic. See ticket #432.

mharmsen commented 8 years ago

Per CS/DS Meeting of 10/12/2015 - 10.3

mharmsen commented 8 years ago

This change will be noticeable during normal QE testing, and thus does not require its own unique Bugzilla Bug.

mharmsen commented 7 years ago

Duplicate of PKI TRAC Ticket #432 - Certificate nickname improvement

Metadata Update from @mharmsen:
- Issue assigned to mharmsen
- Issue set to the milestone: 10.3.2

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2204

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

mharmsen

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.3.2

lowhangingfruit

None

reporter

None

rhbz

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

Community

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Installation/Configuration

proposedmilestone

None

dogtagpki

Source Code

#1645 Consider better default values for certificate nicknames Closed: Duplicate None Opened 8 years ago by mharmsen.

Metadata

#1645 Consider better default values for certificate nicknames

Closed: Duplicate None Opened 8 years ago by mharmsen.