sfayer / cert_sorcerer Goto Github PK

Hi,
A change on the CA backend means that MD5 signing of CSRs will soon no longer be supported. You should be able to change this to something like SHA256withRSA (this is what CertWizard is now using) for continued support for CSRs,
Thanks,
Will.

The code still contains an embedded copy of the SHA1 signed CA cert which was recently revoked: This should be updated to the newer version.

Hello,

I've recently done some development work on the CertWizard API (known to us as CA-Server) to fix a bug we've been having with getting back certificates. The original endpoint accepted a GET request to

https://cwiz-live.ca.ngs.ac.uk/resources/resource/publickey/<base64-encoded-public-key> which then lets you get information associated with a certificate. We noticed an issue where if the base64 encoding had more than once consecutive / then things could break.

So you can instead sent a POST request to https://cwiz-live.ca.ngs.ac.uk/resources/resource/publickey/pk with the following content. The return content has not changed. The GET method also still exists for backwards compatibility, so you might not need to do anything if you haven't noticed any issues.

<PublicKey>
base64-encoded-public-key
</PublicKey>

When renewing a usercert, the user's e-mail should be included as a SAN, however currently the default e-mail is used instead. The CA used to ignore this and use the main request e-mail in the SAN anyway, but it appears the incorrect value is now honoured. This is the line that should include the e-mail: