Bug 7119 – Enable MyProxyCA to include a certificate chain of intermediate CA certificates with EECs Issued

Bug 7119 - Enable MyProxyCA to include a certificate chain of intermediate CA certificates with EECs Issued

Summary:

Enable MyProxyCA to include a certificate chain of intermediate CA certificat...

Status:	RESOLVED FIXED

Product:	MyProxy
Component:	MyProxy
Version:	5.2
Platform:	All All

Importance:	P3 enhancement
Target Milestone:	---
Assigned To:	Venkat Yekkirala

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-01-10 06:50 by Philip Kershaw
Modified:	2011-02-28 09:09 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Philip Kershaw 2011-01-10 06:50:09

The associated CA with a given MyProxyCA may itself be an intermediate CA
issued from a root CA or further intermediate CA.  It would be a useful
addition to be able to configure the server so that these CA certificates were
returned in logon responses along with the new short term credential issued.  

This would simplify the configuration of services consuming the credential
since they would need only to keep a copy of the respective root CA
certificate.  In addition, tests with Java based services have shown that for a
given client certificate making a request over SSL, only the issuing
certificate is required to be present in the server's truststore.  This means
that for client certificates issued as part of a trust chain of CA
certificates, the verification process is not completed back to the root CA
unless the complete chain of intermediate certificates is passed by the client.

------- Comment #1 From Jim Basney 2011-01-11 17:43:31 -------

Hi Philip. Our plan is to add a myproxy-server.config option for specifying the
path to a file containing one or more intermediate CA certificates to be added
to the certificate chain for every CA GET response. Does that sound like it
will provide what you need? We'll update this bug when it's in CVS so you'll
have an opportunity to test before release.

------- Comment #2 From Philip Kershaw 2011-01-12 00:26:56 -------

That sounds great - thanks.

Phil

------- Comment #3 From Venkat Yekkirala 2011-01-12 17:02:34 -------

Implemented a myproxy-server.config certificate_issuer_subca_certfile option.
Mods in CVS.

------- Comment #4 From Jim Basney 2011-01-12 17:29:36 -------

Philip,

A release candidate is available for testing here:
http://grid.ncsa.illinois.edu/myproxy/dl/myproxy-5.3rc1.tar.gz

$ openssl sha1 < myproxy-5.3rc1.tar.gz 
62e3fc8c1aa21e47498f8bbbb3df07cf1cf5090f

When you get a chance, please give it a try and let us know how it works for
you.

-Jim

------- Comment #5 From Philip Kershaw 2011-01-19 02:59:26 -------

Thanks for getting this out so quickly.  I've not had a chance to try it out
but will look at it soon and let you know.

Phil

------- Comment #6 From Jim Basney 2011-02-28 09:09:28 -------

Included in MyProxy 5.3 released 17 Jan 2011.

Please re-open this bug if any changes are required.