Been working nalin@xxxxxxxxxx to get the certs that certmaster
generators to be a little more RFC compliant
There is a repo setup at
http://github.com/alikins/certmaster/commits/alikins-devel with the
changes so far.
Basically
- change cert serial number creation of certs to start at a random
number and increment. Trying to make sue
we have unique serial number+issuer across all the certs
- change the digest we use to sign the certs from md5 to sha-1
- remove some of the spurious, bogus, redundant info from the cert info
fields (the dummy coutry/state/local info)
- attempt to set all the right extension flags on cert creation,
indicating whats are CA certs, whats signing certs, etc
(though, it appears pyopenssl doesn't like this, and segfaults, so
probably need to work around that. Probably by
invoking "openssl" cmd line to generate certs...)
I'm not entirely sure how to proceed to support cert revocation. There
seems to be very little support for it in
pyopenssl. If we use "opeenssl" cmd line,we could at least generate
certificate revocation list for the certs, even
if we currently dont check for revocation.
Adrian
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
