Update pki-server cert-create #4612
Conversation
The pki-server cert-create has been updated to simplify creating a system cert. It will use the server's NSS database directly and RSNv3 serial numbers so it can be used before the CA subsystem is created or when the server is down. It will use the CSR in /etc/pki/pki-tomcat/certs and store the new cert in that folder as well. The tests for installing CA with existing NSS database and HSM have been updated to use this command.
|
Kudos, SonarCloud Quality Gate passed! |
There was a problem hiding this comment.
LGTM. I have just a note.
In the PR #4584 the idea was to remove certificates from CS.cfg and move in the folder <instance>conf/certs folder if they cannot be retrieved/stored in other places. Therefore, the current commands are not using/reading certificate from that folder if they are in the NSSDB.
If I get correctly in this case we store the certificate in the DB and in the folder. We could drop the second.
However, it is not a real issue so feel free to merge.
|
@fmarco76 Thanks! I'll merge this PR but feel free to continue the discussion. Yes, this command will store the new cert in In the next PR I'm going replace the import command with |
The
pki-server cert-createhas been updated to simplify creating a system cert. It will use the server's NSS database directly and RSNv3 serial numbers so it can be used before the CA subsystem is created or when the server is down. It will use the CSR in/etc/pki/pki-tomcat/certsand store the new cert in that folder as well.The tests for installing CA with existing NSS database and HSM have been updated to use this command.
https://github.com/dogtagpki/pki/wiki/PKI-Server-Certificate-CLI
https://github.com/edewata/pki/blob/cli/docs/changes/v11.5.0/Tools-Changes.adoc