12:49 a.m.
URL: https://github.com/freeipa/freeipa/pull/813
Author: frasertweedale
Title: #813: Add Subject Key Identifier to CA cert validity check
Action: opened
PR body:
"""
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction. Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.
When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.
Fixes: https://pagure.io/freeipa/issue/6976
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/813/head:pr813
git checkout pr813
9:36 a.m.
New subject: [freeipa PR#813][comment] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
stlaz commented:
"""
I will review this but we also need a patch for 4.5 which unfortunately still uses
python-nss for certificate validation.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/813#issuecomment-304026101
9:50 a.m.
New subject: [freeipa PR#813][comment] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
stlaz commented:
"""
Works for me, 4.5 patch is needed with ^-- in mind.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/813#issuecomment-304029663
9:50 a.m.
New subject: [freeipa PR#813][+ack] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
Label: +ack
3:05 a.m.
New subject: [freeipa PR#813][comment] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
frasertweedale commented:
"""
@stlaz I don't think backport to 4.5 is essential. This issue is something that
should be
rare in practice, i.e. if a proper CA implementation signs the CSR (e.g.
MS/AD-CS) the SKI extension will be there.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/813#issuecomment-304219339
3:19 a.m.
New subject: [freeipa PR#813][comment] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
stlaz commented:
"""
@frasertweedale I guess you're right. We should therefore not triage it for 4.5 since
it's just a rare usability bug which will probably not appear in production. Thanks
for the patch and reasoning :)
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/813#issuecomment-304221920
5:40 a.m.
New subject: [freeipa PR#813][+pushed] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
Label: +pushed
5:40 a.m.
New subject: [freeipa PR#813][comment] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Title: #813: Add Subject Key Identifier to CA cert validity check
MartinBasti commented:
"""
master:
* bc6d4995144505c45a62320c71f503b54f68a962 Add Subject Key Identifier to CA cert validity
check
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/813#issuecomment-304840676
5:40 a.m.
New subject: [freeipa PR#813][closed] Add Subject Key Identifier to CA cert validity check
URL: https://github.com/freeipa/freeipa/pull/813
Author: frasertweedale
Title: #813: Add Subject Key Identifier to CA cert validity check
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/813/head:pr813
git checkout pr813
2516
days inactive
2521
days old
freeipa-devel@lists.fedorahosted.org
8 comments
3 participants
participants (3)
-
frasertweedale -
MartinBasti
-
stlaz