Story #15673 & #15675: feat(pki) - Migrate to PKCS12 and optimize certificate generation.#3535
Open
Story #15673 & #15675: feat(pki) - Migrate to PKCS12 and optimize certificate generation.#3535
Conversation
GiooDev
added
Security
Collaborator
|
New Issues (2)Checkmarx found the following issues in this Pull Request
Fixed Issues (14)Great job! The following issues were fixed in this Pull Request
Use @Checkmarx to interact with Checkmarx PR Assistant. |
GiooDev
force-pushed
the
story_15673
branch
2 times, most recently
from
fd0cb24 to
f66e6ca
Compare
GiooDev
changed the title
GiooDev
force-pushed
the
story_15673
branch
4 times, most recently
from
9d993bd to
5c002f1
Compare
GiooDev
changed the title
bbenaissa
approved these changes
Feb 4, 2026
mkhediri
reviewed
Feb 4, 2026
GiooDev
force-pushed
the
story_15673
branch
11 times, most recently
from
987dfae to
7420b46
Compare
GiooDev
commented
Feb 13, 2026
Contributor
Author
There was a problem hiding this comment.
À quoi ça sert d'avoir 2 fichiers application.yml ? Il y a des usages différents dans certains cas ?
En tout cas il ne semble utilisé nulle part.
|
|
||
| 1) Retrieval of the IdP metadata, IdP metadata are ignored, so test metdata can be used instead | ||
| 2) Creation of a keystore for the IdP: `keytool -genkeypair -alias idp-test -keypass password -keystore idp-test-keystore.jks -storepass password -keyalg RSA -keysize 2048 -validity 3650` | ||
| 2) Creation of a keystore for the IdP: `keytool -genkeypair -alias idp-test -keypass password -keystore idp-test-keystore.p12 -storepass password -keyalg RSA -keysize 2048 -validity 3650` |
Contributor
Author
There was a problem hiding this comment.
Il faut probablement rajouter un peu partout le paramètre -storetype PKCS12
Contributor
Author
There was a problem hiding this comment.
Y'en a besoin dans les 2 chemins ? main & test ?
Un peu chiant à maintenir on peut pas centraliser sur un seul ?
| notify: restart service | ||
|
|
||
| # Copy the client-external truststore to authorize external applications to communicate with vitamui components. | ||
| - name: Copy client-external truststore |
Contributor
Author
There was a problem hiding this comment.
Need to fix this later ? Currently we can't call with client-external certificates the APIs.
| trust-store-password: {{ truststores_vitamui }} | ||
| key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 | ||
| key-store-password: {{ keystore_vitamui_services_servers_collect }} | ||
| # key-password: {{ keystore_vitamui_services_servers_collect }} |
Contributor
Author
There was a problem hiding this comment.
Useless as the key stored in the keystore doesn't have a password.
Contributor
Author
There was a problem hiding this comment.
Is it usefull if we remove -nodes parameters for generate_certs ?
| key-password: {{ password_keystore_server }} | ||
| key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 | ||
| key-store-password: {{ keystore_vitamui_services_servers_cas_server }} | ||
| key-password: {{ keystore_vitamui_services_servers_cas_server }} |
Contributor
Author
There was a problem hiding this comment.
But needed for cas-server, otherwise it won't start...
| # key-password: {{ keystore_vitamui_services_servers_iam }} | ||
| trust-store: {{ vitamui_folder_conf }}/truststore_vitamui-services.p12 | ||
| trust-store-password: {{ truststore_vitamui_services }} | ||
| client-auth: want |
Contributor
Author
There was a problem hiding this comment.
Everybody calls it with a certificate, do we need to update it to client-auth: need ?
GiooDev
commented
Feb 13, 2026
| -passout pass:"${KEY_PASS}" \ | ||
| -keyout "${SERVER_CERTIFICATE_PATH}/${COMPOSANT}.key" \ | ||
| -out "${SERVER_CERTIFICATE_PATH}/${COMPOSANT}.req" \ | ||
| -nodes \ |
Contributor
Author
There was a problem hiding this comment.
For later, remove -nodes.
Now that the variables are fully correct between generate_certs and generate_stores, it could be reactivated.
Need more test for clients for UI-* components configured with nginx to put the associated passphrase. Not the same vault used to store certs passphrases and keystores passphrases.
More coherent variables. Updating comments and logs in english.
…(Java KeyStore) format to industry-standard PKCS12 format. This eliminates the keytool warning and aligns with modern Java best practices.
…e of pki scripts.
GiooDev
force-pushed
the
story_15673
branch
3 times, most recently
from
cfefcba to
6f5ae54
Compare
…rchitecture. * Regenerate new passphrase for certs & keystores everytime we execute scripts. * Do not generate server certs for UI-* components, currently not supported.
GiooDev
force-pushed
the
story_15673
branch
4 times, most recently
from
a923663 to
78cc0ae
Compare
GiooDev
commented
Feb 15, 2026
| # Remove old keystores & servers directories | ||
| find ${REPERTOIRE_KEYSTORES} -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} \; | ||
| # Remove old keystores clients & server directories | ||
| find ${KEYSTORES_DIRECTORY:?} -mindepth 1 -maxdepth 1 -type d -exec rm -vrf {} \; |
Contributor
Author
There was a problem hiding this comment.
Pourquoi on supprime ici sans vérifier si on a mis le ERASE à true ?
GiooDev
force-pushed
the
story_15673
branch
4 times, most recently
from
13c9c69 to
c0d4e18
Compare
* Using get_authorities function as reference for generating expected authorities. * Simplification of scripts avoiding useless functions. * Keep translating to english.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Updating PKI
security/certificates(cas-server & ui-*).Ansible
security/certificatesdatabase.Type de changement
Contributeur