[Swan-dev] generating x509 certificates

Paul Wouters paul at nohats.ca
Wed Feb 4 18:48:18 EET 2015


On Wed, 4 Feb 2015, Antony Antony wrote:

> I agree, as a small step, I just added pyOpenSSL to .ks Dockerfile and the web page. Hugh and Paul you guys may want to install pyOpenSSL manually on your host before this change hits mainstream. Otherwise make check will break for you.

Will do.

>> Note that dist_certs.py is only intended to create the certificate batch,
>> and any of the NSS db creation, importing, etc. that is needed for a
>> individual test is handled by swan-prep with the --x509 option.
>
> As I recollect there was an issue with "swan-prep --x509" and CA import. The pyOpenSSL + CN + swan-prep did not play well. I forgot to chase Matt to understand this and fix it. I am proponent of python based script.. Where are we with this. I am happy to change swan-prep.

I thought we had an issue with generating "special" certificates, such
as the one with the leading zero, or the ones that are "not yet valid"
or "expired". I suggested to use libfaketime for that and pushed the
pending package for that into fedora, but neither I or Matt started to
use it to generate these certificates yet. The shell script did so
although with some faults such as not working in the first 9 days of the
month :)

> "I expect that running x509 tests with the dist_certs.py set will need some
> minor output adjustments. For example, the NSS db nickname of the root CA when
> +it
> comes out of the p12 file will change to its CN from "mainca" or whatever. The
> pyOpenSSL methods to create a p12 wouldn't let me change that. So any certutil
> -L outputs will change some."

We'll have to live with that, it is annoying (makes logs less readable) but not a
show stopper.

Paul


More information about the Swan-dev mailing list