Our SSL/TLS tests use a server cert that's directly issued by a root CA. That's nowadays a non-standard configuration. The usual scenario is that end entities are issued by an intermediate CA. For testing something else, I required such a setup, and it was easiest for me to enhance the NSS cert scripts to produce them in addition to what we have today. This enhancements reuses the existing TestCA, and creates an additional TestIntermediateCA. Also, it creates additional server certificates for $HOST that are issued by the intermediate. I'm using a suffix for the nicknames and filenames for these additional certificates, so nothing that currently exists should be affected by these additional certs.
Created attachment 8905524 [details] [diff] [review] more-certs-v4.patch merged to trunk
Comment on attachment 8905524 [details] [diff] [review] more-certs-v4.patch Review of attachment 8905524 [details] [diff] [review]: ----------------------------------------------------------------- It doesn't appear that you have added any calls to cert_create_cert() with uses the new parameter you created. Also I have a question about the cert_add_cert call inside cert_create_cert(). Other than that, it looks fine. ::: tests/cert/cert.sh @@ +314,5 @@ > return $RET > fi > fi > > + cert_add_cert "$OPT_PARAM" shouldn't this be cert_add_cert "$OPT_PARAM" "$CA_PREFIX" ?
Attachment #8905524 - Flags: review?(rrelyea) → review+
Created attachment 8905948 [details] [diff] [review] additional changes (incremental patch) (In reply to Robert Relyea from comment #4) > > It doesn't appear that you have added any calls to cert_create_cert() with > uses the new parameter you created. You're right. It wasn't necessary. I had only touched the function to ensure the correct parameters are passed on to the existing call. > Also I have a question about the cert_add_cert call inside > cert_create_cert(). > > > + cert_add_cert "$OPT_PARAM" > > shouldn't this be cert_add_cert "$OPT_PARAM" "$CA_PREFIX" ? Thanks for catching this, you're partially correct. CA_PREFIX should be passed on ONLY if it isn't the default value TestCA These additional changes make that adjustment, and add a call to cert_create_cert to create client certs issued by the intermediate.
Created attachment 8905949 [details] [diff] [review] 1318622-part1-v5.patch earlier part merged
I'm no longer convinced I should check this in. When considering to hook these new certs up to a SSL client auth test, I discovered that it's unnecessary. Our scripts already create another directory ext_server (and ext_client) which DO already create server/client certificates issued by intermediates ... :-/
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.