| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
|
|
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
| |
This will allow users to specify the realm when generating
or archiving a request. No interface change is needed (yet)
because the extra parameter is passed through the request.
Part of Ticket #2041
|
|
|
|
| |
Part of Trac Ticket# 2041
|
|
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency the pki pkcs12-export has been modified to
overwrite the PKCS #12 output file by default. A new option has
been added to append the exported certificates and keys into the
output file if the file already exists.
The same option has been added to the The pki-server
instance-cert-export and subsystem-cert-export commands.
https://fedorahosted.org/pki/ticket/1736
|
|
|
|
|
|
|
|
|
|
| |
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.
The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.
The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.
The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.
https://fedorahosted.org/pki/ticket/2255
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCSUtil has been updated to match the functionality provided
by JSS.
In order to import a certificate properly, the certificate needs
to be exported with its private key and certificate chain, so the
option to export without key or without the certificate chain has
been removed. The option to export only the certificate chain has
also been removed since it can be done by exporting the complete
certificate chain, then remove the leaf certificate while keeping
the chain.
The pki pkcs12-cert-add has been modified to provide an option
to create a new PKCS #12 file to store the certificate.
The pki pkcs12-export has been modified to always overwrite
existing file to match the behavior of PKCS12Export. It also has
been modified to accept a list of nicknames of certificates to
export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
A new CLI has been added to remove a key from a PKCS #12 file
based on the key ID.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
New CLIs have been added to add a certificate from NSS database and
to remove a certificate from the PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Util has been modified such that it stores the certs and
keys in PKCS12 object instead of PFX object. The PKCS12 object can
be loaded either from NSS database or PKCS #12 file. The PKCS12
object can later be stored into NSS database or PKCS #12 file.
The pki pkcs12-cert-find and pkcs12-key-find commands were modified
to require PKCS #12 password.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out
of PKCS12Util into separate classes.
The createLocalKeyID() has been modified to return BigInteger
instead of byte array.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
| |
A new PKCS #12 attribute has been defined to store NSS certificate
trust flags in PKCS #12 file. The PKCS12Util has been modified to
store the trust flags during export and reset the trust flags in
NSS database during import.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import and pki pkcs12-export commands have been
added to import and export PKCS #12 file into and from NSS
database.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki pkcs12-cert-find and pki pkcs12-key-find commands have
been added to list the certificates and keys in a PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to export NSS database into PKCS #12 file in PKCS12Export
tool has been refactored into PKCS12Util class to simplify further
enhancements.
The PKCS12Export tool has also been modified to use Java Logging
API. A default logging configuration file has been added. The
command-line wrapper has been modified to get the path to the
logging configuration file from pki.conf.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only user ID and
policy attributes when modifying a token.
https://fedorahosted.org/pki/ticket/1687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
|
|
|
|
|
|
|
| |
The TPS UI and CLI have been modified to accept only token ID,
and optionally user ID and policy attributes when adding a token.
https://fedorahosted.org/pki/ticket/1477
https://fedorahosted.org/pki/ticket/1687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS service has been modified to provide a list of allowed
state transitions based on the current token state. The TPS UI
was modified to display only the allowed state transitions when
changing the token status.
The allowed state transition list has been modified to remove
invalid token transitions including:
* UNINITIALIZED -> FOUND
* UNINITIALIZED -> TEMP_LOST_PERM_LOST
The token FOUND state has been renamed to ACTIVE for clarity.
The token TEMP_LOST_PERM_LOST state has been merged into
PERM_LOST since they are identical in the database.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
https://fedorahosted.org/pki/ticket/1684
|
|
|
|
|
|
|
|
|
| |
The pki selftest-run command has been modified to execute the
specified selftests, or all selftests if nothing is specified.
The command will also display the status of each test and the
stack trace if it fails.
https://fedorahosted.org/pki/ticket/1502
|
|
|
|
|
|
|
|
|
|
| |
The pki ca-cert-request-submit command has been modified to
provide options to specify the profile name and the CSR which
will be used to create and populate the request object. This
way it's no longer necessary to download the request template
and insert the CSR manually.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
| |
Implement lightweight authority deletion including CLI command. To
be deleted an authority must be disabled and have no sub-CAs.
Fixes: https://fedorahosted.org/pki/ticket/1324
|
| |
|
|
|
|
|
|
|
|
| |
The pki client-cert-request CLI has been modified to generate a
default subject DN if it's not specified. The man page has been
updated accordingly.
https://fedorahosted.org/pki/ticket/1463
|
|
|
|
|
|
|
|
| |
The pki cert-request-submit and client-cert-request CLIs have been
modified to provide options to specify the username and password
for directory-authenticated certificate enrollments.
https://fedorahosted.org/pki/ticket/1463
|
|
|
|
|
|
|
|
| |
Add the optional "ca" query parameter for REST cert request
submission. Also update the ca-cert-request-submit CLI command with
an option to provide an AuthorityID.
Part of: https://fedorahosted.org/pki/ticket/1213
|
|
|
|
|
|
| |
Add CLI commands for creating, listing and showing lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1213
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
|
|
|
|
|
|
|
| |
The PKCS12Export has been fixed to handle ObjectNotFoundException
when exporting certificates without private keys.
https://fedorahosted.org/pki/ticket/1506
|
|
|
|
|
|
|
|
|
| |
A new man page has been added for the pki tps-profile CLI. The
CLI has been modified to refer to the new man page.
Some other man pages have been cleaned up as well.
https://fedorahosted.org/pki/ticket/1271
|
|
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Export has been modified such that if an error occurs
in normal mode it will display the error message and in debug
mode it will display the full stack trace.
The code has also been refactored such that it can be reused as a
library in addition to command-line tool. The code will now throw
exceptions instead of exiting to the system.
https://fedorahosted.org/pki/ticket/1224
|
|
|
|
| |
clients are: cli, HttpClient, and java console
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys archived through the KRA connector in CA have null data type
attribute which causes a NPE during retrieval using the key-retrieve
CLI. The SecurityDataRecoveryService has been modified to consider
null data type attribute as asymmetric key type.
The KeyRetrieveCLI and KeyService have been modified to generate
better debugging messages to help troubleshooting.
https://fedorahosted.org/pki/ticket/1481
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The user-cert-add command has been modified to ask the user for
the CA server URI if the CA is not available locally.
A new SubsystemClient.exists() method has been added to check
whether a subsystem is deployed on the target instance.
The SubsystemCLI has been modified to call logout() only if
the operation is executed successfully.
The certificate approval callback class has been refactored out
of PKIConnection into a separate class to clean up circular
dependency with PKIClient.
https://fedorahosted.org/pki/ticket/1448
|
|
|
|
|
|
|
|
| |
To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.
https://fedorahosted.org/pki/ticket/1449
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified such that if the security database
location (-d) is not specified, the config.certDatabase will be
initialized with the default value (i.e. ~/.dogtag/nssdb). The
config.certDatabase is needed by the CLI to prepare the client
library for key archival operations.
|
|
|
|
|
|
| |
A new findModules() method has been added to the CLI class to find
the list of modules handling a command. The list will be used by the
pki help CLI to find the proper man page for the specified command.
|
|
|
|
|
|
| |
The CRMFPopClient has been modified to use the HttpClient library
to connect to the server, to show the HTTP status code if an error
occurs, and to show the NSS database directory in verbose mode.
|
|
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
|
|
|
|
|
| |
The key-show CLI has been modified to provide an option to find
the active key info using the client key ID.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|