[jboss-jira] [JBoss JIRA] (WFCORE-4060) Ensure the correct account URL gets used when using the certificate authority operations with both staging and non-staging endpoints with the same certificate-authority-account

Farah Juma (JIRA) issues at jboss.org
Wed Aug 22 16:14:00 EDT 2018 

     [ https://issues.jboss.org/browse/WFCORE-4060?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Farah Juma updated WFCORE-4060:
-------------------------------
    Description: 
We need to make sure that when the {{obtain-certificate}} operation is used to obtain a certificate from Let's Encrypt staging server and then used again to obtain a certificate from Let's Encrypt's non-staging server that the appropriate account URL is used (i.e., the account URL should start with the staging endpoint in the first case and it should start with the production endpoint in the second case). For example, the following scenario should work properly:

{code}

# Try to obtain a certificate first using the staging endpoint and then again using the non-staging endpoint with the same certificate-authority-account
/subsystem=elytron/key-store=key-store3:add(credential-reference={clear-text=password},type=JKS,path=keystore3.jks)
/subsystem=elytron/certificate-authority-account=ca_letsenc3:add(alias=server,key-store=key-store3)
/subsystem=elytron/key-store=key-store3:obtain-certificate(alias=app3,certificate-authority-account=ca_letsenc3,domain-names=["mydomain.com"],agree-to-terms-of-service,algorithm=RSA,staging=true) 
/subsystem=elytron/key-store=key-store3:obtain-certificate(alias=app3,certificate-authority-account=ca_letsenc3,domain-names=["mydomain.com"],agree-to-terms-of-service,algorithm=RSA,staging=false) 
{code}

Other certificate authority management operations should also be able to handle switching between staging and non-staging using the same {{certificate-authority-account}}.

  was:
We need to make sure that when the {{obtain-certificate}} operation is used to obtain a certificate from Let's Encrypt staging server and then used again to obtain a certificate from Let's Encrypt's production server that the appropriate account URL is used (i.e., the account URL should start with the staging endpoint in the first case and it should start with the production endpoint in the second case). For example, the following scenario should work properly:

{code}

# Try to obtain a certificate first using the staging endpoint and then again using the non-staging endpoint with the same certificate-authority-account
/subsystem=elytron/key-store=key-store3:add(credential-reference={clear-text=password},type=JKS,path=keystore3.jks)
/subsystem=elytron/certificate-authority-account=ca_letsenc3:add(alias=server,key-store=key-store3)
/subsystem=elytron/key-store=key-store3:obtain-certificate(alias=app3,certificate-authority-account=ca_letsenc3,domain-names=["mydomain.com"],agree-to-terms-of-service,algorithm=RSA,staging=true) 
/subsystem=elytron/key-store=key-store3:obtain-certificate(alias=app3,certificate-authority-account=ca_letsenc3,domain-names=["mydomain.com"],agree-to-terms-of-service,algorithm=RSA,staging=false) 
{code}

Other certificate authority management operations should also be able to handle switching between staging and non-staging using the same {{certificate-authority-account}}.



> Ensure the correct account URL gets used when using the certificate authority operations with both staging and non-staging endpoints with the same certificate-authority-account
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-4060
>                 URL: https://issues.jboss.org/browse/WFCORE-4060
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Farah Juma
>            Assignee: Farah Juma
>
> We need to make sure that when the {{obtain-certificate}} operation is used to obtain a certificate from Let's Encrypt staging server and then used again to obtain a certificate from Let's Encrypt's non-staging server that the appropriate account URL is used (i.e., the account URL should start with the staging endpoint in the first case and it should start with the production endpoint in the second case). For example, the following scenario should work properly:
> {code}
> # Try to obtain a certificate first using the staging endpoint and then again using the non-staging endpoint with the same certificate-authority-account
> /subsystem=elytron/key-store=key-store3:add(credential-reference={clear-text=password},type=JKS,path=keystore3.jks)
> /subsystem=elytron/certificate-authority-account=ca_letsenc3:add(alias=server,key-store=key-store3)
> /subsystem=elytron/key-store=key-store3:obtain-certificate(alias=app3,certificate-authority-account=ca_letsenc3,domain-names=["mydomain.com"],agree-to-terms-of-service,algorithm=RSA,staging=true) 
> /subsystem=elytron/key-store=key-store3:obtain-certificate(alias=app3,certificate-authority-account=ca_letsenc3,domain-names=["mydomain.com"],agree-to-terms-of-service,algorithm=RSA,staging=false) 
> {code}
> Other certificate authority management operations should also be able to handle switching between staging and non-staging using the same {{certificate-authority-account}}.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list