File: local-signer.txt

package info (click to toggle)
certmonger 0.75.14-3
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 8,540 kB
  • ctags: 2,176
  • sloc: ansic: 41,340; sh: 9,551; makefile: 528; python: 207; xml: 190; sed: 16
file content (36 lines) | stat: -rw-r--r-- 1,528 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Local Signer: Design and Implementation Notes

"One step forward from self-signed certificates."
"Still basically a toy signer."

During the run-up to 0.75, we added several entry points during which we call
per-CA code.  In addition to "ask the CA to sign this", we are:
* called to self-identity
  * currenty called at daemon startup
* called to produce a list of our root certificates
  * currenty called at daemon startup and at a midpoint between startup and
    the earliest NotValidAfter date for any known roots, iteratively
* called to produce a list of profiles we support
  * currenty called at daemon startup
* called to produce the name of the default profile
  * currenty called at daemon startup
* called to produce a list of required first-time-enrollment attributes
  * currenty called at daemon startup
* called to produce a list of required renewal attributes
  * currenty called at daemon startup

The second one, when we're called to produce a list of our root certificates,
seems to be a good time to actually bring up a local signer and, when it
becomes necessary, add a new certificate for it.

The general idea is:

if we-don't-have-a-certificate or not-valid-after-time-is-soon:
	if we-don't-have-a-private-key-of-the-right-type:
		generate-a-private-key
	generate-ca-certificate-using-private-key
	output all certificates

Since we don't pass the current set of certificates in to helpers, we either
need to start doing that (ugh, the formatting) or implement it as an internal
signer, like SelfSign.