Revision 931b6fcd
Added by Joniel Pasqualetto about 2 months ago
bin/katello-certs-check | ||
---|---|---|
error 4 "The $CA_BUNDLE_FILE does not verify the $CERT_FILE"
|
||
echo -e "${CHECK/OK/}\n"
|
||
else
|
||
success
|
||
success
|
||
fi
|
||
}
|
||
|
||
... | ... | |
CHECK=$(grep -c "^--*BEGIN" $CA_BUNDLE_FILE)
|
||
printf $CHECK
|
||
if [[ $CHECK -lt $CABUNDLE_MAX_ISSUERS ]]; then
|
||
success
|
||
success
|
||
else
|
||
CERRTISSUER=$(openssl x509 -noout -in $CERT_FILE -issuer 2>&1)
|
||
error 10 "The CA bundle counts $CHECK issuers. Please trim your CA bundle and include only the certs relevant to your cert file"
|
||
echo $CERTISSUER
|
||
echo
|
||
fi
|
||
}
|
||
|
||
function check-ca-bundle-trust-rules () {
|
||
printf "Checking if CA bundle has trust rules: "
|
||
CHECK=$(grep 'BEGIN TRUSTED CERTIFICATE' $CA_BUNDLE_FILE| wc -l)
|
||
printf $CHECK
|
||
if [[ $CHECK -lt 1 ]]; then
|
||
success
|
||
else
|
||
CERTISSUER=$(openssl x509 -noout -in $CERT_FILE -issuer 2>&1)
|
||
error 10 "The CA bundle counts $CHECK issuers. Please trim your CA bundle and include only the certs relevant to your cert file"
|
||
echo $CERTISSUER
|
||
echo
|
||
error 10 "The CA bundle contains $CHECK certificate(s) with trust rules. This may create problems for older systems to trust the bundle. Please, recreate the bundle using certificates without trust rules"
|
||
echo
|
||
fi
|
||
}
|
||
|
||
... | ... | |
check-priv-key
|
||
check-ca-bundle
|
||
check-ca-bundle-size
|
||
check-ca-bundle-trust-rules
|
||
check-cert-san
|
||
check-cert-usage-key-encipherment
|
||
check-shortname
|
Also available in: Unified diff
Fixes #37063 - Add feature in katello-certs-check to verify if CA bundle has any certificates with trust rules