Re: [Pki-devel] Fixes 1339263 issue.

[Amol Kahat]

Endi thanks.


On 06/13/2016 08:06 PM, Endi Sukma Dewata wrote:

On 6/13/2016 2:22 AM, Amol Kahat wrote:

Hi,

I fixes bugzilla issue no 1339263.
Please review this patch.

PFA.

Thank You.

Amol K.


Thanks for the patch!

Just one issue, in InstanceMigrateCLI the tomcat_version needs to stay 
where it was since it's getting the value from --tomcat option.


ACK. I fixed the patch and pushed it to master.



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Patch for pki-server cli and man page.

[Amol Kahat]

Hi,

I fixed the bugzilla issue 1341953. And enhance code of pki-server 
instance-start.


And also i fixed man page for pki-server instance-cert.

Please review this patches.

PFA.


Thanks
Amol K
>From e7ca72b6346126b6a4fb5f3d3c51f61fa36c15cf Mon Sep 17 00:00:00 2001
From: Amol Kahat 
Date: Tue, 14 Jun 2016 16:36:40 +0530
Subject: [PATCH] Fixed pki-server instance-start  command. Fixed
 pki-server instance-stop  command.

Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1341953

Signed-off-by: Amol Kahat 
---
 base/server/python/pki/server/cli/instance.py | 31 +++
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index d5fc644a1d9ae992907aed8674c793e26bdc0ef8..8eff750872715db109ef83a76a6a6766d0bacdc1 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -329,12 +329,19 @@ class InstanceStartCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance_name = args[0]
-
-instance = pki.server.PKIInstance(instance_name)
-instance.load()
-instance.start()
-
-self.print_message('%s instance started' % instance_name)
+try:
+instance = pki.server.PKIInstance(instance_name)
+if instance.is_valid():
+if instance.is_active():
+self.print_message('%s instance already started.' % instance_name)
+else:
+instance.load()
+instance.start()
+self.print_message('%s instance started' % instance_name)
+else:
+self.print_message('%s no such instance exists.' % instance_name)
+except :
+self.print_message('Error in starting %s' % instance_name)
 
 
 class InstanceStopCLI(pki.cli.CLI):
@@ -381,10 +388,16 @@ class InstanceStopCLI(pki.cli.CLI):
 instance_name = args[0]
 
 instance = pki.server.PKIInstance(instance_name)
-instance.load()
-instance.stop()
+if instance.is_valid():
+if instance.is_active():
+instance.load()
+instance.stop()
 
-self.print_message('%s instance stopped' % instance_name)
+self.print_message('%s instance stopped' % instance_name)
+else:
+self.print_message('%s instance already stopped' % instance_name)
+else:
+self.print_message('%s no such instance exits.' % instance_name)
 
 
 class InstanceMigrateCLI(pki.cli.CLI):
-- 
2.5.5

>From 2e8d8ec9f8a29f541d99de7c71c1bedd3b268cc9 Mon Sep 17 00:00:00 2001
From: Amol Kahat 
Date: Tue, 14 Jun 2016 12:42:32 +0530
Subject: [PATCH] Added entry of pki-server instance-cert command in man page.

Signed-off-by: Amol Kahat 
---
 base/server/man/man8/pki-server-instance.8 | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/base/server/man/man8/pki-server-instance.8 b/base/server/man/man8/pki-server-instance.8
index 4d0f52bd97ae27b008e25f7765b03eeaa166a139..bbbc0f9e7f20e8f538e39be1bab8ba4b41712132 100644
--- a/base/server/man/man8/pki-server-instance.8
+++ b/base/server/man/man8/pki-server-instance.8
@@ -20,6 +20,7 @@ pki-server instance \- Command-Line Interface for managing Certificate System in
 .SH SYNOPSIS
 .nf
 \fBpki-server [CLI options] instance\fR
+\fBpki-server [CLI options] instance-cert\fR
 \fBpki-server [CLI options] instance-find\fR
 \fBpki-server [CLI options] instance-show\fR 
 \fBpki-server [CLI options] instance-start\fR 
@@ -48,6 +49,11 @@ enabling or disabling password prompted instance startup using \fBnuxwdog\fR.
 This command is to list available instance commands.
 .RE
 .PP
+\fBpki-server [CLI options] instance-cert\fR
+.RS 4
+This command is to export the all instance cerficates in p12 file.
+.RE
+.PP
 \fBpki-server [CLI options] instance-find\fR
 .RS 4
 This command is to list local CS instances.
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 769 Fixed problem with headerless PKCS #7 data.

[Endi Sukma Dewata]

Due to a recently added validation code, the headerless PKCS #7
data generated by IPA needs to be joined into a single line before
storing it in CS.cfg.

Pushed to master under one-liner/trivial rule.

--
Endi S. Dewata
>From 9ac5e454dafe0d88f174f067e5e47f9d926f00a7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 14 Jun 2016 05:55:01 +0200
Subject: [PATCH] Fixed problem with headerless PKCS #7 data.

Due to a recently added validation code, the headerless PKCS #7
data generated by IPA needs to be joined into a single line before
storing it in CS.cfg.
---
 base/common/python/pki/nssdb.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 2504a95797cae1eebe491df398d41c4129467650..0c27c3f19b6d938e4e335aaf0541d0ca0d0c1796 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -477,6 +477,13 @@ class NSSDatabase(object):
 else:  # import PKCS #7 data without header/footer
 with open(cert_chain_file, 'r') as f:
 base64_data = f.read()
+
+# TODO: fix ipaserver/install/cainstance.py in IPA
+# to no longer remove PKCS #7 header/footer
+
+# join base-64 data into a single line
+base64_data = base64_data.replace('\r', '').replace('\n', '')
+
 pkcs7_data = convert_pkcs7(base64_data, 'base64', 'pem')
 
 tmp_cert_chain_file = os.path.join(tmpdir, 'cert_chain.p7b')
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0770 Fixed REST response format.

[Endi Sukma Dewata]

Some REST services have been fixed to return the response in XML
format by default.

https://fedorahosted.org/pki/ticket/1276

Pushed under one-liner/trivial rule.

--
Endi S. Dewata
>From efdb234b2694ad5f97dcc71842116f9cb57fe9f8 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 14 Jun 2016 20:22:36 +0200
Subject: [PATCH] Fixed REST response format.

Some REST services have been fixed to return the response in XML
format by default.

https://fedorahosted.org/pki/ticket/1276
---
 base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java| 4 ++--
 base/server/cms/src/org/dogtagpki/server/rest/FeatureService.java | 2 +-
 base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java   | 4 +---
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 0993b5c0d8a831f942720f4e1acf67f59da58fda..5ecabacd9a84a4d06e529ca0099f561155f7d791 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -46,8 +46,8 @@ import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.base.ServiceUnavailableException;
 import com.netscape.certsrv.ca.AuthorityID;
-import com.netscape.certsrv.ca.CAEnabledException;
 import com.netscape.certsrv.ca.CADisabledException;
+import com.netscape.certsrv.ca.CAEnabledException;
 import com.netscape.certsrv.ca.CAMissingCertException;
 import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.CANotFoundException;
@@ -97,7 +97,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
 
 GenericEntity> entity =
 new GenericEntity>(results) {};
-return Response.ok(entity).build();
+return createOKResponse(entity);
 }
 
 @Override
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/FeatureService.java b/base/server/cms/src/org/dogtagpki/server/rest/FeatureService.java
index df0ea53444682efc751e2faf7cf1d87b17b32395..8c85437bbeaa1365faffd866f978460381d9cde8 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/FeatureService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/FeatureService.java
@@ -31,7 +31,7 @@ public class FeatureService extends PKIService implements FeatureResource {
 features.add(feature);
 }
 GenericEntity> entity = new GenericEntity>(features) {};
-return Response.ok(entity).build();
+return createOKResponse(entity);
 }
 
 @Override
diff --git a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
index b0b4fd229a322e2ecbb959314ad737023a883745..9e1caaa86bea83d1f57a1c9150dcfae0898b6d38 100644
--- a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
@@ -132,9 +132,7 @@ public class ConfigService extends PKIService implements ConfigResource {
 auditConfigTokenGeneral(ILogger.SUCCESS, method,
 newProperties, null);
 
-return Response
-.ok(configData)
-.build();
+return createOKResponse(configData);
 
 } catch (PKIException e) {
 CMS.debug(method +": " + e);
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] Patch for pki-server cli and man page.

[Endi Sukma Dewata]

On 6/14/2016 6:14 AM, Amol Kahat wrote:

Hi,

I fixed the bugzilla issue 1341953. And enhance code of pki-server
instance-start.

And also i fixed man page for pki-server instance-cert.

Please review this patches.

PFA.


Thanks
Amol K


Thanks!

I pushed the patches to master with some revisions:
* the if-statements were restructured to reduce indentations
* if the instance doesn't exist the code calls sys.exit(1)
* some output messages were modified for consistency

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [pki-devel][PATCH] 0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch

[John Magne]

Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST

The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.

Other operations such as revoking and unrevoking cert in the code path 
laready
have audit logs issued separately for success or failure.

Ticket #2340.
From cecb728768166c9dc252b4c9fe25e38b9cbb72db Mon Sep 17 00:00:00 2001
From: Jack Magne 
Date: Tue, 14 Jun 2016 16:00:39 -0700
Subject: [PATCH] Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST

The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.

Other operations such as revoking and unrevoking cert in the code path laready
have audit logs issued separately for success or failure.

Ticket #2340.
---
 base/ca/src/com/netscape/ca/CAService.java | 172 ++---
 1 file changed, 81 insertions(+), 91 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index 485acc6..9bf237f 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -31,6 +31,33 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.Vector;
 
+import netscape.security.extensions.CertInfo;
+import netscape.security.util.BigInt;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateIssuerName;
+import netscape.security.x509.CertificateSerialNumber;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.Extension;
+import netscape.security.x509.LdapV3DNStrConverter;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.SerialNumber;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509ExtensionException;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authority.IAuthority;
 import com.netscape.certsrv.authority.ICertAuthority;
@@ -68,33 +95,6 @@ import com.netscape.cmscore.dbs.RevocationInfo;
 import com.netscape.cmscore.util.Debug;
 import com.netscape.cmsutil.util.Utils;
 
-import netscape.security.extensions.CertInfo;
-import netscape.security.util.BigInt;
-import netscape.security.util.DerValue;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateIssuerName;
-import netscape.security.x509.CertificateSerialNumber;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.Extension;
-import netscape.security.x509.LdapV3DNStrConverter;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.SerialNumber;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500NameAttrMap;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509ExtensionException;
-
 /**
  * Request Service for CertificateAuthority.
  */
@@ -192,7 +192,7 @@ public class CAService implements ICAService, IService {
 
 if (kraConfig != null) {
 mArchivalRequired = kraConfig.getBoolean(
-"archivalRequired", true);
+"archivalRequired", true);
 mKRAConnector = getConnector(kraConfig);
 if (mKRAConnector != null) {
 if (Debug.ON) {
@@ -293,10 +293,12 @@ public class CAService implements ICAService, IService {
 
 String clientCiphers = config.getString("clientCiphers", null);
 if (timeout == 0)
-connector = new HttpConnector((IAuthority) mCA, nickname, clientCiphers, remauthority, resendInterval, config);
+connector = new HttpConnector((IAuthority) mCA, nickname, clientCiphers, remauthority, rese

Re: [Pki-devel] [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch

[Matthew Harmsen]

On 06/06/2016 05:39 PM, John Magne wrote:

Fix attached.


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK

Personally, I always prefer the use of enclosing braces "{ . . . }" 
after a conditional even when it only has one line.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present

[Endi Sukma Dewata]

On 6/13/2016 9:38 PM, Fraser Tweedale wrote:

Hi all,

The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
Please review for inclusion in 10.3.3.

Thanks,
Fraser


It looks like the initSignUnit() is only called with retrieveKeys=true 
in init(). So the code that starts the key retriever thread probably can 
be moved out, becoming something like this:


  initDefCaAttrs();

  try {
  initSignUnit();
  checkForNewerCert();

  } catch (CAMissingCertException | CAMissingKeyException e) {
  // start key retriever thread

  } catch (EBaseException e) {
  ...
  }

I think it would clarify a little bit how the missing cert/key is handled.

So if I understand correctly if the cert/key is missing the LWCA object 
will still be created and registered, but it will be disabled 
(hasKeys=false)?


When the key retriever thread is complete, will it automatically 
reinitialize and enable the LWCA object?


Regardless, feel free to push the patch as is.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] Karma Request for Dogtag 10.3.2 on Fedora 24

[Matthew Harmsen]

On 06/13/2016 09:43 AM, Matthew Harmsen wrote:

Everyone,

Please, note the updated builds of pki-core.


Sorry, more updated builds.



Thanks,
-- Matt

On 06/10/2016 11:39 AM, Matthew Harmsen wrote:
The following candidate builds of Dogtag 10.3.2 for Fedora 24 consist 
of the following:


  * dogtag-pki-theme-10.3.2-2.fc24

  * dogtag-pki-10.3.2-1.fc24




 * dogtag-pki-10.3.2-2.fc24
   



  * pki-core-10.3.2-3.fc24



  * pki-core-10.3.2-4.fc24



  * pki-console-10.3.2-2.fc24




 * pki-console-10.3.2-3.fc24
   



Please provide Karma for these builds in Bodhi located at:

  * dogtag-pki-theme-10.3.2-2.fc24

  * dogtag-pki-10.3.2-1.fc24




 * dogtag-pki-10.3.2-2.fc24
   



  * pki-core-10.3.2-3.fc24



  * pki-core-10.3.2-4.fc24



  * pki-console-10.3.2-2.fc24




 * pki-console-10.3.2-3.fc24
   


Additionally, the following builds have been provided for Fedora 25 
(rawhide):


  * dogtag-pki-theme-10.3.2-2.fc25

  * dogtag-pki-10.3.2-1.fc25




 * dogtag-pki-10.3.2-2.fc25
   



  * pki-core-10.3.2-3.fc25



  * pki-core-10.3.2-4.fc25



  * pki-console-10.3.2-2.fc25




 * pki-console-10.3.2-3.fc25
   



Thanks,
-- Matt





___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present

[Fraser Tweedale]

On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote:
> On 6/13/2016 9:38 PM, Fraser Tweedale wrote:
> > Hi all,
> > 
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
> > Please review for inclusion in 10.3.3.
> > 
> > Thanks,
> > Fraser
> 
> It looks like the initSignUnit() is only called with retrieveKeys=true in
> init(). So the code that starts the key retriever thread probably can be
> moved out, becoming something like this:
> 
>   initDefCaAttrs();
> 
>   try {
>   initSignUnit();
>   checkForNewerCert();
> 
>   } catch (CAMissingCertException | CAMissingKeyException e) {
>   // start key retriever thread
> 
>   } catch (EBaseException e) {
>   ...
>   }
> 
> I think it would clarify a little bit how the missing cert/key is handled.
> 
Yes, that will be a nice refactor.  I may send a patch for that soon.

> So if I understand correctly if the cert/key is missing the LWCA object will
> still be created and registered, but it will be disabled (hasKeys=false)?
> 
> When the key retriever thread is complete, will it automatically
> reinitialize and enable the LWCA object?
> 
Yes to both question.  The bug was that an exception could be thrown
when constructing the LWCA object (thus it was not registered).
Key retrieval had been initiated and successfully retrieved the key,
but there was no LWCA object to reinitialise.

> Regardless, feel free to push the patch as is.
> 
Thanks, pushed to master (41aef5254c20301851716ef46b614d185b33a87b)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 771 Refactored SystemConfigService.processCerts().

[Endi Sukma Dewata]

To simplify future enhancements the code that processes each
certificate in SystemConfigService.processCerts() has been moved
into a separate method.

--
Endi S. Dewata
>From 9f9d4a7bce1f30f82b84b48857a877fb1e0f47e0 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 15 Jun 2016 04:00:27 +0200
Subject: [PATCH] Refactored SystemConfigService.processCerts().

To simplify future enhancements the code that processes each
certificate in SystemConfigService.processCerts() has been moved
into a separate method.
---
 .../dogtagpki/server/rest/SystemConfigService.java | 308 +++--
 1 file changed, 164 insertions(+), 144 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 3720116b9e25c3e636248e342226d55fc234f70c..6fc37b5eec90547c25c420d0172953b91134d352 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -382,150 +382,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 continue;
 }
 
-String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa";
-
-String keyalgorithm = certData.getKeyAlgorithm();
-if (keyalgorithm == null) {
-keyalgorithm = keytype.equals("ecc") ? "SHA256withEC" : "SHA256withRSA";
-}
-
-String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm;
-String nickname = cs.getString("preop.cert." + tag + ".nickname");
-String dn = cs.getString("preop.cert." + tag + ".dn");
-
-cs.putString("preop.cert." + tag + ".keytype", keytype);
-cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm);
-cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm);
-
-// support injecting SAN into server cert
-if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) {
-CMS.debug("updateConfiguration(): san_server_cert found");
-cs.putString("service.injectSAN", "true");
-cs.putString("service.sslserver.san", certData.getServerCertSAN());
-} else {
-if ( tag.equals("sslserver"))
-CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver");
-}
-cs.commit(false);
-
-if (request.isExternal() && tag.equals("signing")) { // external/existing CA
-// load key pair for existing and externally-signed signing cert
-CMS.debug("SystemConfigService: loading signing cert key pair");
-KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken());
-ConfigurationUtils.storeKeyPair(cs, tag, pair);
-
-} else if (!request.getStepTwo()) {
-if (keytype.equals("ecc")) {
-String curvename = certData.getKeyCurveName() != null ?
-certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
-cs.putString("preop.cert." + tag + ".curvename.name", curvename);
-ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
-
-} else {
-String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
-.getString("keys.rsa.keysize.default");
-cs.putString("preop.cert." + tag + ".keysize.size", keysize);
-ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
-}
-
-} else {
-CMS.debug("configure(): step two selected.  keys will not be generated for '" + tag + "'");
-}
-
-Cert cert = new Cert(tokenName, nickname, tag);
-cert.setDN(dn);
-cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem"));
-cert.setType(cs.getString("preop.cert." + tag + ".type"));
-
-if (request.isExternal() && tag.equals("signing")) { // external/existing CA
-
-// update configuration for existing or externally-signed signing certificate
-String certStr = cs.getString("ca." + tag + ".cert" );
-cert.setCert(certStr);
-CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
-ConfigurationUtils.updateConfig(cs, tag);
-
-} else if (!request.getStepTwo