pki.git/base/ca/shared/webapps, branch master Unnamed repository; edit this file 'description' to name the repository. Ticket #2757 CMC enrollment profiles for system certificates 2017-07-07T23:51:22+00:00 Christina Fu cfu@redhat.com 2017-06-27T01:09:55+00:00 65b1242cd139e6306fb3e039193a3a6b223ea9b1 This patch supports CMC-based system certificate requests. This patch contains the following: * The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert * The cmc-based system enrollment profiles: caCMCauditSigningCert.cfg caCMCcaCert.cfg caCMCkraStorageCert.cfg caCMCkraTransportCert.cfg caCMCocspCert.cfg caCMCserverCert.cfg caCMCsubsystemCert.cfg * new URI's in web.xml as new access points Usage example can be found here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 
This patch supports CMC-based system certificate requests.

This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The cmc-based system enrollment profiles:
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points

Usage example can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof 2017-05-17T18:45:14+00:00 Christina Fu cfu@redhat.com 2017-05-16T01:15:36+00:00 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches. 
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
Ticket #2717 CMC user-signed enrollment request 2017-04-29T02:56:09+00:00 Christina Fu cfu@redhat.com 2017-04-29T00:55:17+00:00 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824 This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint 
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
Added audit service and CLI to all subsystems. 2017-04-03T22:29:44+00:00 Endi S. Dewata edewata@redhat.com 2017-03-27T22:15:28+00:00 8e7653987bf592ae6a5968fc0c5ef6696f13d348 Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47 
Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.

Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
Added access banner for CA UI. 2017-02-23T23:20:23+00:00 Endi S. Dewata edewata@redhat.com 2017-02-21T15:32:21+00:00 55e3f74a56ac5e8766181e3dce9bc3219a403dec All pages in CA UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582 
All pages in CA UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.

https://fedorahosted.org/pki/ticket/2582
Renamed index.html to index.jsp in CA UI. 2017-02-20T15:57:56+00:00 Endi S. Dewata edewata@redhat.com 2017-02-18T04:34:00+00:00 666f7ee81e53bf2e7018384363307b51fa1bad26 The index.html files in CA UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582 
The index.html files in CA UI have been renamed to index.jsp such
that they can be protected by access banner.

https://fedorahosted.org/pki/ticket/2582
Removed all references to 'xenroll.dll' 2016-12-09T22:29:50+00:00 Matthew Harmsen mharmsen@redhat.com 2016-12-09T22:29:50+00:00 6cf7cec3c559786b90dcca298a2d7c6c570eac35 - PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core 
- PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
UdnPwdDirAuth authentication plugin instance is not working. 2016-06-17T21:45:40+00:00 Jack Magne jmagne@dhcp-16-206.sjc.redhat.com 2016-06-07T23:39:40+00:00 b32aae9f0923e0d9fb4da12b45f478552fb53676 Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method. 
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.

Since this class no longer works, we felt it best to just remove it from the server.

This patch removes the references and files associated with this auth method.
Detect inability to submit ECC CSR on Chrome 2016-05-14T00:10:52+00:00 Matthew Harmsen mharmsen@redhat.com 2016-05-13T22:41:16+00:00 c17719c36559802a2602c63f54db6b1e62a0143f - PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests 
- PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
Added Chrome keygen warning 2016-05-13T02:04:17+00:00 Matthew Harmsen mharmsen@redhat.com 2016-05-13T02:04:17+00:00 7e0f52b62e003ab0f66ed12fdd27e05713166b74 - PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from within Chrome 
- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
                          within Chrome