|
|
Post by JenHuang on Sept 21, 2022 8:52:08 GMT
According the redfish certificate schema, redfish.dmtf.org/schemas/Certificate.v1_4_0.jsonThe annotation 'requiredOnCreate' has the following properties CertificateString and CertificateType when user POST create. What is the expectation if user post create with CertificateString but missing information for Identifier like "CommonName" and else properties. ( City, Country, Email and so on) My personal understang is that checking CertificateString may not required and user should check properly before post create. |
|
|
|
Post by mraineri on Sept 21, 2022 12:58:03 GMT
For a valid X509 certificate, the raw string provided in CertificateString will have that information; my understanding is you cannot have a valid X509 certificate without those details. Clients will provide the full certificate body via CertificateString so that the service can manage the certificate in its entirety within its certificate store or any other certificate repository it contains. While the service is not required to return the full certificate string, at this point it will have all of these details internally in order to represent other properties, like the subject and issuer information.
|
|
|
|
Post by JenHuang on Sept 23, 2022 9:58:30 GMT
|
|
|
|
Post by mraineri on Sept 23, 2022 13:18:10 GMT
Ah, my understanding was incorrect then. Looks like it's possible to have several of the fields missing (I would expect common name to always be there though since that's what the certificate is supposed to represent in the first place).
But if a user passes in a certificate without certain fields, then I would expect those respective properties to be omitted from responses when a client performs a GET on the resource. If your implementation has a requirement that a certain field needs to exist in the certificate, then you'll need to add processing of the raw certificate string when the client attempts to create the resource.
|
|
|
|
Post by AMI_RythonCai on Nov 4, 2022 3:20:52 GMT
One more question
The annotation 'requiredParameter' has the following properties City, CommonName, Country, Organization, OrganizationalUnit, State when user POST GenerateCSR.
If these information is not mandatory for a valid certificate, could we just provide one of these for GenerateCSR? Thanks
|
|
|
|
Post by mraineri on Nov 7, 2022 13:51:56 GMT
My understanding is that common practices and tools require those fields to be populated when generating a CSR. While it's possible per the RFCs that those field may be absent, most web services I've encountered require users to provide that information.
|
|
|
|
Post by AMI_RythonCai on Nov 9, 2022 9:26:11 GMT
Thanks for your information.
My perspective is if those information has no specific definition on RFC5280, which information is mandatory or optional. Their annotation shouldn't mark "required parameter".
Which specification should we refer to ? Thanks
|
|
|
|
Post by mraineri on Nov 9, 2022 13:45:22 GMT
We marked those parameters as required based on existing tools that expect them to be present. Although RFC5280 doesn't require those fields, we'd like to ensure interoperability in the output, so having a minimal baseline set of parameters will help ensure that. Allowing CSRs that can't be processed by most CAs to be produced is detrimental to the end user.
|
|
