Create server certs issued by intermediate CA

RESOLVED WORKSFORME

Status

RESOLVED WORKSFORME
2 years ago
11 months ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

3.27

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 2 obsolete attachments)

(Assignee)

Description

2 years ago
Our SSL/TLS tests use a server cert that's directly issued by a root CA. That's nowadays a non-standard configuration. The usual scenario is that end entities are issued by an intermediate CA.

For testing something else, I required such a setup, and it was easiest for me to enhance the NSS cert scripts to produce them in addition to what we have today.

This enhancements reuses the existing TestCA, and creates an additional TestIntermediateCA. Also, it creates additional server certificates for $HOST that are issued by the intermediate. I'm using a suffix for the nicknames and filenames for these additional certificates, so nothing that currently exists should be affected by these additional certs.
(Assignee)

Comment 1

2 years ago
Created attachment 8812122 [details] [diff] [review]
more-certs-v3.patch
Assignee: nobody → kaie
(Assignee)

Updated

2 years ago
Attachment #8812122 - Flags: review?(rrelyea)
(Assignee)

Comment 2

11 months ago
Created attachment 8905524 [details] [diff] [review]
more-certs-v4.patch

merged to trunk
Attachment #8812122 - Attachment is obsolete: true
Attachment #8812122 - Flags: review?(rrelyea)
Attachment #8905524 - Flags: review?(rrelyea)

Comment 4

11 months ago
Comment on attachment 8905524 [details] [diff] [review]
more-certs-v4.patch

Review of attachment 8905524 [details] [diff] [review]:
-----------------------------------------------------------------

It doesn't appear that you have added any calls to cert_create_cert() with uses the new parameter you created.
Also I have a question about the cert_add_cert call inside cert_create_cert().

Other than that, it looks fine.

::: tests/cert/cert.sh
@@ +314,5 @@
>              return $RET
>  	fi
>      fi
>  
> +    cert_add_cert "$OPT_PARAM"

shouldn't this be cert_add_cert "$OPT_PARAM" "$CA_PREFIX" ?
Attachment #8905524 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 5

11 months ago
Created attachment 8905948 [details] [diff] [review]
additional changes (incremental patch)

(In reply to Robert Relyea from comment #4)
> 
> It doesn't appear that you have added any calls to cert_create_cert() with
> uses the new parameter you created.

You're right. It wasn't necessary. I had only touched the function to ensure the correct parameters are passed on to the existing call.


> Also I have a question about the cert_add_cert call inside
> cert_create_cert().
> 
> > +    cert_add_cert "$OPT_PARAM"
> 
> shouldn't this be cert_add_cert "$OPT_PARAM" "$CA_PREFIX" ?

Thanks for catching this, you're partially correct.

CA_PREFIX should be passed on ONLY if it isn't the default value TestCA


These additional changes make that adjustment, and add a call to cert_create_cert to create client certs issued by the intermediate.
(Assignee)

Comment 6

11 months ago
Created attachment 8905949 [details] [diff] [review]
1318622-part1-v5.patch

earlier part merged
Attachment #8905524 - Attachment is obsolete: true
Attachment #8905949 - Flags: review+
(Assignee)

Comment 7

11 months ago
I'm no longer convinced I should check this in.

When considering to hook these new certs up to a SSL client auth test, I discovered that it's unnecessary.

Our scripts already create another directory ext_server (and ext_client) which DO already create server/client certificates issued by intermediates ... :-/
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.