-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Custom CA for certificate issuing #438
Conversation
|
||
def _load_rootca_certificate(self, ca_json): | ||
if "rootcrt" not in ca_json or not ca_json["rootcrt"]: | ||
logger.warning("Custom CA has no root CA certificate provided") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe adding ca id to enrich the log for debugging purpose?
logger.warning("Custom CA %s has no root CA certificate provided", ca_env)
|
||
acceptable_validity = min(validity, self.settings["max_validity_days"]) | ||
builder = builder.not_valid_after( | ||
datetime.now(timezone.utc) + timedelta(days=acceptable_validity) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
call datetime.now twice at 129 and 133. considering consolidate them into 1?
active_ca = [ | ||
ca | ||
for ca in CUSTOM_CERTIFICATE_AUTHORITIES[ca_env] | ||
if validator.validate(ca) and ca["kid"] == active_ca_id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if validator.validate(ca) return False, will we still log Custom CA %s has no active keys?
# Get the certificate in PEM format | ||
intermediate_ca_pem = self.encode_certificate(self.ca_certificate) | ||
root_ca_pem = self.encode_certificate(self.root_ca_certificate) | ||
return intermediate_ca_pem + root_ca_pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
self.root_ca_certificate can be None? if so intermediate_ca_pem + root_ca_pem will throw TypeError
1958e28
/offload |
previously we have one giant class certificatemanager which has a certificatauthority class which is basically ACM PCA.
Now we want to add support for custom ca, without impacting existing contracts/apis on
/v1/certificates prefix
. So a new base class is created so that both acm pca and custom ca can inherit from.other changes are mostly tests and settings along side this.