Closed eudyptula closed 6 years ago
uzoltan
commented
6 years ago Yeah I am aware of this design issue and I told about it to Csaba too.
My hack to test the CA functions were much simpler:
eudyptula
commented
6 years ago Well, my changes would make it run with just the secure versions...
Coming to think about it, the CA should probably just accept any self-signed certificate from the client, and use the client's public key to encrypt the response - that way only the client is able to read it.
uzoltan
commented
6 years ago I think that's a good idea.
uzoltan
commented
6 years ago Csaba said that when the full bootstrapping process is figured out, application systems most likely wont be directly calling the CA system, so I'm closing this for now.
Been having some trouble getting the certificate authority working:
Kinda got it all to work in secure mode, but had to bypass a few security measurements to do so:
setNeedClientAuth(false)in the CA, so it doesn't require a certificate from the client, which it cannot provide at this stage.CertAuthorityACFto not filter anything - again as the client cannot provide any certificates to filter on.CertificateBootstrapperclass, so that the client would accept the certificate from the CA system. Was playing around with getting it through an insecure version of the CA, started simultaneously with the secure version - didn't get that to work though.Anyhow, know that this is probably not the correct/secure solution to take, just thought I'd report on my progress playing with the CA. Haven't pushed any of this in, so it won't get mixed up in the release code (if I do I will keep it on a separate branch in my own fork).