Improve handling of trusted certificates #6826
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
Signed-off-by: Ming Lu <[email protected]>
minglumlu
force-pushed
the
private/mingl/trusted-cert
branch
from
f490581 to
ac35717
Compare
lindig
reviewed
Jan 9, 2026
| let certificate_purpose = | ||
| Enum | ||
| ( "certificate_purpose" | ||
| , [("licensing", "Trusted certificates that are for licensing purpose.")] |
Contributor
There was a problem hiding this comment.
"that are for" could be simplified to "Trusted certificates for licensing"
| let install_trusted_certificate = | ||
| call ~flags:[`Session] ~pool_internal:true ~hide_from_docs:true | ||
| ~name:"install_trusted_certificate" | ||
| ~doc:"Install a TLS trusted certificate on this host." |
Contributor
There was a problem hiding this comment.
It's not clear how TLS and trusted are related: is it a TLS-trusted certificate or a trusted TLS certificate?
|
|
||
| let install_trusted_certificate = | ||
| call ~name:"install_trusted_certificate" | ||
| ~doc:"Install a TLS trusted certificate, pool-wide." |
Contributor
There was a problem hiding this comment.
See above for the ambiguity about how trust and TLS are related.
| Xapi_stdext_threads.Threadext.Mutex.execute m (fun () -> | ||
| let (_ : string), (_ : string) = | ||
| Forkhelpers.execute_command_get_output | ||
| "/opt/xensource/bin/update-ca-bundle.sh" [cert_dir; bundle_path] |
Contributor
There was a problem hiding this comment.
This script so far does not take arguments and I don't see it being changed but maybe I missed the change. How is this supposed to work and does this mean other invocations of this script need to be updated?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A draft to collect initial comments. Only basic manual tests are done. More tests are in progress.
The design is https://github.com/xapi-project/xen-api/blob/master/doc/content/design/trusted-certificates.md
(It's a little bit out-of-date. Will update it later. And remaining changes will be raised in following PRs)