#1736 simplify existing CA install parameters
Closed: Fixed None Opened 8 years ago by vakwetu.

Right now, the only way to distinguish between an existing CA install and a externally signed CA install is whether or not a CSR path is provided in the step 1 invocation of pkispawn.

CSR location provided -> keys and CSR generated -> externally signed CA install.
CSR location not provided -> keys and CSR not generated -> existing CA install.

This is not very intuitive or robust. Moreover, there is absolutely no reason why the existing CA option should require two invocations of pkispawn.

I propose we simplify as follows:

  1. Add a new directive pki_existing_ca = True/False. This parameter cannot be
    simultaneously true with pki_external_ca.
  2. If pki_existing_ca = True, then the parameters for the cert and chain must be provided,
    and the install will complete in a single step.
  3. If pki_external_ca is True (and we are in step 1), then the CSR parameter must be set.

Per CS/DS Meeting of 2016/01/25: 10.3 - minor

[2016/01/25] - this should fit into the "existing CA" design document (or man page)

Fixed in master:

  • e3449617d90f5f73afdb568cc2f43769e5ea760b
  • 08f032de4090467ac4096f970609e19834b997ac
  • d3bbfe07b1cb2d65a7af6530ea01374b20a761e4
  • 88e963d55bdf4cb9799ef665a72f8855fc00c4da

Additional change in master:

  • b24ea9e24233636d18806326a9e2883235eb38d7

Metadata Update from @vakwetu:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.0.b1

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2294

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata