Majic Projects ~ [CLOSED] GC-18 - Ability to renew existing certificates

Majic Projects

Gimmecert

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Gimmecert / Closed Feature request GC-18 Ability to renew existing certificates

Votes

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Feature request Unknown issue type
Issue label

No label set
Category

Not determined
Targetted for

0.1.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Mar 20, 2018
Last updated

Mar 25, 2018
Estimated time

8 hours Not estimated
Time spent

7 hours No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

As client and server certificates are getting issued, it can happen that their validity has expired, or perhaps the user wants to replace the private key.

At the moment this can be done by removing the artefacts, and issuing the certificate again. However, the problem with this is that:

It is not possible to preserve the private key and just get a new certificate.
It is required to provide the very same information provided the last time, which is tedious.

It would be good if there was a built-in convenient way to do this instead.

The following should be done:

Implement a renew certificate command.
Renew command should:
- Optionally generate a new private key.
- Use the same naming as in the original certificate.
- Replace the existing certificate with a new one.
- Provide user with information on what has been done.
Renew command should accept the following positional arguments:
- Type of entity (server/client).
- Name of entity.
Renew command should accept the following optional arguments:
- Flag denoting that the private key should be regenerated.
Renew command should be implemented with the following constraints in mind:
- Command should not run in case the entity is not known. Instead an informative error message should be shown.
- Existing artefacts should be replaced with new ones. It should be possible to do this as late as possible, once both private key and certificate are known, in order to avoid partial writes.
- In case of any additional naming (like DNS subject alternative names), information should be pulled-out of the existing certificate.
- New certificate should contain same set of extensions as the original one (basic constraints, KU, EKU, subject alternative name).
- Certificate should be issued by the leaf CA (furthest away from the root/level 1 CA).
- Certificate validity should not exceed the CA validity.
- Validity should start at time of issuance minus 15 minutes.
- Both server and client certificate renewal should be supported.
- Example usage in help should be updated for the new command.

Documentation should cover:

Command usage for both server and client.
Command usage should cover cases where private key is kept and where private key is regenerated as well.
Information about subject DN and subject alternative names being take from existing certificate.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password