You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am looking to extend CertificateExpirationNotifierWorker to not send notification when renewed certificate exists.
The idea is to check that there is a newer certificate issued for the same subject DN or end entity for which the certificate was issued.
I would like to know if this is a good idea that will work consistently for all types of certificates and you can maintain it further. I am sure you were thinking about this because it is a typical configuration users would like to have.
The idea is to create new worker that will have the following as input:
List of end entities profiles to check, where user can select multiple
Time before notification is sent (this is the same property as in CertificateExpirationNotifierWorker)
The worker will get all certificates based on selected end entity profile that are going to expiry and additionally check if newer exists, i.e.:
Stringfingerprint = (String) next[0];
Stringusername = (String) next[1];
StringsubjectDN = endEntityAccessSession.findByUsername(username).getSubjectDN();
X509CertificatelatestIssued = certificateStoreSession.findLatestX509CertificateBySubject(subjectDN);
X509Certificatefound = (X509Certificate) certificateStoreSession.findCertificateByFingerprint(fingerprint);
byte[] latestIssuedEncoded = latestIssued.getEncoded();
byte[] foundEncoded = found.getEncoded();
if (Arrays.equals(foundEncoded, latestIssuedEncoded)) {
// Get the certificate through a session beanlog.debug("Found a certificate we should notify. Username=" + username + ", fp=" + fingerprint);
finalStringsubject = "Certificate expiration notification - without renewed";
finalStringmessage = "Certificate with: \n"
+ "fingerprint: " + fingerprint + "\n"
+ "with the serial number: " + latestIssued.getSerialNumber().toString(16) + "\n"
+ "username: " + username + "\n"
+ "is going to expire and does not have any renewed certificate.";
finalMailActionInfomailActionInfo = newMailActionInfo(null, subject, message);
sendEmail(mailActionInfo, ejbs);
}
Because of the findLatestX509CertificateBySubject method, is this going to work only for X.509 certificates? Should there be implemented more general method like findLatestCertificateBySubject or similar to get Certificate instead of X509Certificate?
My proof of concept for X.509 certificates works as expected, but I am not 100% sure that it does not have any side effects or unexpected behaviour. I can create PR if you think this is good approach.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I am looking to extend
CertificateExpirationNotifierWorkerto not send notification when renewed certificate exists.The idea is to check that there is a newer certificate issued for the same subject DN or end entity for which the certificate was issued.
I would like to know if this is a good idea that will work consistently for all types of certificates and you can maintain it further. I am sure you were thinking about this because it is a typical configuration users would like to have.
The idea is to create new worker that will have the following as input:
CertificateExpirationNotifierWorker)The worker will get all certificates based on selected end entity profile that are going to expiry and additionally check if newer exists, i.e.:
Because of the
findLatestX509CertificateBySubjectmethod, is this going to work only for X.509 certificates? Should there be implemented more general method likefindLatestCertificateBySubjector similar to getCertificateinstead ofX509Certificate?My proof of concept for X.509 certificates works as expected, but I am not 100% sure that it does not have any side effects or unexpected behaviour. I can create PR if you think this is good approach.
Beta Was this translation helpful? Give feedback.
All reactions