Update Private Key tooltips in new UI
When a certificate is imported in the system, we do not validate the key size. It should not be less then 1024.
We risk breaking importing certificates and CA's, and also creating them
A certificate and CA of valid lengths should be imported ( 1024/2048/4096 ). They should import as desired. Apart from that, we should try importing a certificate of less then 1024 length, if it imports, this should be marked as failed testing.
A certificate of length 512 can be created with following command
openssl req -x509 -newkey rsa:512 -keyout key.pem -out cert.pem -nodes -days 365 -subj '/CN=localhost'
#4 Updated by Dennis Mullen over 1 year ago
Update: Looks like the work for this ticket is actually done already. The middleware update to screen keys for strength is in 11.2 stable and 11.3, though not in 11.2 RELEASE U1. And it works great on the CA Add page (see screenshot). BUT the Certificate Add page (in 11.3) is failing without an error message when I try to make an Import Cert, whether the credentials are right or wrong. I've been trying to find the cause of that. I feel like if that problem is found, the work in this ticket is already taken care of.
#6 Updated by Waqar Ahmed over 1 year ago
So 11.3 Certificates is probably failing because the methods are jobs there and you have to wait for each job. There was a ticket for that when this change was introduced to Certificate Service in middlewared for new UI. As of the latest nightlies, certificate services calls aren't being treated as jobs in new UI from what I can see. So that should resolve that and perhaps we should wait for that change first ? Because we wouldn't be able to confirm this one until that is implemented in new UI
#7 Updated by Dennis Mullen over 1 year ago
This one is ready to go in the 11.2 internal build. Throws the right error message when the key is too small, works when it is right. As for 11.3, importing certs fails right now because of some needed upgrades as described in https://redmine.ixsystems.com/issues/55986
Once that's done, I think this error message about key strength will work for certificates in 11.3 too, just as it already does for CAs.
#14 Updated by Jeff Ervin over 1 year ago
- File Screen Shot 2019-01-29 at 10.43.20 AM.png Screen Shot 2019-01-29 at 10.43.20 AM.png added
- File Screen Shot 2019-01-29 at 10.47.20 AM.png Screen Shot 2019-01-29 at 10.47.20 AM.png added
- Status changed from Ready for Testing to Passed Testing
- Needs QA changed from Yes to No
Test Passed FreeNAS-11.2-U2-INTERNAL79