DAPS removes import_certfile line from config

[sebplorenz]

... which makes the config not usable in a new environment. Reproduce:

• create a new connector cert using the script
• start the omejdn server -> all lines starting with import_certfile are removed Expected: import_certfile line stays in config.

If the config is stored in a repository every time it changes, then there is a serious danger that this change is checked in to the config repo, which makes the config unusable for restoring an environment. Because if the line is missing the DAPS will not find the corresponding client cert.

[bellebaum]

Hey, sorry for the late answer. I still have not found out how to subscribe to new issues. The import_certfile line was meant as a way of helping people find the right place for a particular certificate (in the keys folder). Its sole purpose was to copy certificates to the right place once for easier setup.

There are two easy solutions for you:

a) Instruct git (or your "repository" software) to ignore any changes to that file. b) Also backup the actual certificates

If all of that fails to solve your problem, you may also write a script of some sorts which copies certificates to the right place. As of now, that place is

/keys/<base64url(client_id)>.cert

Where client_id is the usual SKI:AKI construction. A future update will change that, allowing you to store and load your certificates from/to whereever you want (including relational databases etc.), but said update is still in the making.

[bellebaum]

The import_certfile option no longer exists. The correct place for the certificate for client client_id is now /keys/clients/${client_id}.cert

Closing this issue