Bugzilla – Bug 7119
Enable MyProxyCA to include a certificate chain of intermediate CA certificates with EECs Issued
Last modified: 2011-02-28 09:09:28
You need to log in before you can comment on or make changes to this bug.
The associated CA with a given MyProxyCA may itself be an intermediate CA issued from a root CA or further intermediate CA. It would be a useful addition to be able to configure the server so that these CA certificates were returned in logon responses along with the new short term credential issued. This would simplify the configuration of services consuming the credential since they would need only to keep a copy of the respective root CA certificate. In addition, tests with Java based services have shown that for a given client certificate making a request over SSL, only the issuing certificate is required to be present in the server's truststore. This means that for client certificates issued as part of a trust chain of CA certificates, the verification process is not completed back to the root CA unless the complete chain of intermediate certificates is passed by the client.
Hi Philip. Our plan is to add a myproxy-server.config option for specifying the path to a file containing one or more intermediate CA certificates to be added to the certificate chain for every CA GET response. Does that sound like it will provide what you need? We'll update this bug when it's in CVS so you'll have an opportunity to test before release.
That sounds great - thanks. Phil
Implemented a myproxy-server.config certificate_issuer_subca_certfile option. Mods in CVS.
Philip, A release candidate is available for testing here: http://grid.ncsa.illinois.edu/myproxy/dl/myproxy-5.3rc1.tar.gz $ openssl sha1 < myproxy-5.3rc1.tar.gz 62e3fc8c1aa21e47498f8bbbb3df07cf1cf5090f When you get a chance, please give it a try and let us know how it works for you. -Jim
Thanks for getting this out so quickly. I've not had a chance to try it out but will look at it soon and let you know. Phil
Included in MyProxy 5.3 released 17 Jan 2011. Please re-open this bug if any changes are required.