I’ve been working with the PKI/Dogtag code for a while. Over the past couple years, I’ve been more and more comfortable with Git. PKI uses SVN as a centralized Repository. Since Git SVN integration is fairly mature, I’ve been using that to manage my coding. On Monday, I gave a presentation to my team on Git SVN. I’ve taken the outline from the slides and included it here.
Continue reading
The Java bindings for the Network Security Services (NSS) Library is called JSS. NSS provides a key management scheme that is different enough from both standard Java and OpenSSL that trying to do standard Java Socket operations using the Apache HttpClient requires a little bit of extra work.
As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.
As I install, uninstall, and re-install FreeIPA, I start getting:sec_error_reused_issuer_and_serial. This used to be a minor annoyance, solved by clearing the certificates out of, and restarting, the browser. Recent versions of Firefox have complained even after doing this, leading to the current approach: clear your browser cache. Instead, you can update the certificate on the web server, and this should give you a cert with a new serial number, and avoid the error message.