> On May 31, 2019, at 11:15 PM, Sean Mullan <sean.mul...@oracle.com> wrote:
>
> On 5/30/19 8:49 PM, Weijun Wang wrote:
>> Sure. How many info do you want to see?
>> I can prepend `keytool -printcert` but that's too much. At least I think the
>> extensions part is not needed. Also, I don't wish people reading the
>> fingerprint inside as genuine and does not calculate it from the cert itself.
>> So, I'm thinking of
>> Owner: CN=XRamp Global Certification Authority, O=XRamp Security Services
>> Inc, OU=www.xrampsecurity.com, C=US
>> Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services
>> Inc, OU=www.xrampsecurity.com, C=US
>> Serial number: 50946cec18ead59c4dd597ef758fa0ad
>> Valid from: 1 Nov 2004 17:14:04 GMT until: 1 Jan 2035 05:37:19 GMT
>> Signature algorithm name: SHA1withRSA
>> Subject Public Key Algorithm: 2048-bit RSA key
>> Version: 3
>> Is that OK?
>
> This is good. Did you use keytool to emit those fields?
Yes.
> It might make sense to add a brief README in this directory with instructions
> or a code snippet so that the next time we add a cert we know what to include
> at the top for consistency.
OK, so it might contain:
-----START-----
Each file in this directory (except for this README) contains a CA certificate
in PEM format. It can be generated with
keytool -J-Duser.timezone=GMT -printcert -file ca.cert | sed -n '1,4p;8,10p'
keytool -printcert -file ca.cert -rfc
Please note the textual comment is just a suggestion and not arbitrary.
After any change in this directory, please remember to update the content of
`test/jdk/sun/security/lib/cacerts/VerifyCACerts.java` as well.
-----END-----
And I'll need to skip this README file in the build tool.
--Max
>
> Thanks,
> Sean
>
>> Thanks,
>> Max
>> p.s. `keytool -printcert` shows validity in local timezone. Does not look
>> good to me.
>>> On May 31, 2019, at 6:51 AM, Sean Mullan <sean.mul...@oracle.com> wrote:
>>>
>>> One suggestion is to put a printable form of the contents of the
>>> certificate at the top of each of the PEM files. It would be nice as a
>>> quick-look to see what is in the certificate. Of course, you can also use
>>> keytool -printcert to do that, but if I am just perusing the source code
>>> via a browser or something like that, it would be nice to not have to do
>>> that.
>>>
>>> --Sean
>>>
>>> On 5/30/19 9:01 AM, Weijun Wang wrote:
>>>> Please take a review at
>>>> http://cr.openjdk.java.net/~weijun/8193255/webrev.00/
>>>> Please pay attention to the 1st 3 and the last 2 files. Others are PEM
>>>> files for all certs inside the original cacerts.
>>>> There is one thing I cannot get correct. If I update the
>>>> GenerateCacerts.java file and rerun make, the cacerts file is unchanged. I
>>>> thought the following line
>>>> $(GENDATA_CACERTS): $(BUILD_TOOLS) $(GENDATA_CACERTS_SRC)
>>>> means when when the tool is changed, GENDATA_CACERTS will be called.
>>>> Thanks,
>>>> Max
