Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Dienstcatalogus" for eHerkenning uses current (old) certificate, but should include the future certificate when present #5136

Open
LaurensBurger opened this issue Mar 5, 2025 · 2 comments · May be fixed by maykinmedia/django-digid-eherkenning#92
Open

"Dienstcatalogus" for eHerkenning uses current (old) certificate, but should include the future certificate when present #5136

LaurensBurger opened this issue Mar 5, 2025 · 2 comments · May be fixed by maykinmedia/django-digid-eherkenning#92
Assignees
@sergei-maertens @LaurensBurger
Labels
owner: dimpact
Milestone
Release 3.1.0

Comments

@LaurensBurger
Copy link
Collaborator

Product versie / Product version

2.8.x

Customer reference

Vught 89

Omschrijf het probleem / Describe the bug

When new eHerkenning metadata needs to be provided, in this case for a renewal of a PKI certificate. The "Dienstcatalogus" is generated with the old certificate instead of the future certificate which means while the metadata itself does contain the new and old cert, the old cert needs to be removed temporarily to generate the new "Dienstcatalogus" anyway.

Which defeats the purpose of having both the current and new certificate present in the configuration.
i believe it would be safe to always use the "future" certificate if one is present because if it is - the new metadata and dienstcatalogus are generated for that purpose.

Stappen om te reproduceren / Steps to reproduce

No response

Verwacht gedrag / Expected behavior

No response

Screen resolution

None

Device

None

OS

None

Browser

No response
@LaurensBurger LaurensBurger added the triage Issue needs to be validated. Remove this label if the issue considered valid. label Mar 5, 2025
@sergei-maertens
Copy link
Member

I thought the point of communicating the new certificate is so that it can be pro-actively added to the trust store on the eHerkenning side - if we provide new metadata signed with the new certificate that includes the old and new certificate, there's no way for the broker to validate the proper signature of the new metadata, is there?

@joeribekker
Copy link
Contributor

Refinement: As far as I understand there is a workaround so we don't give it high prio. However, its good that a client encounters this so we get some hands on usage of what we intended as an improvement. Assigning Sergei and Laurens to discuss what Vught does exactly and where the poblem is.

@joeribekker joeribekker added owner: dimpact and removed triage Issue needs to be validated. Remove this label if the issue considered valid. labels Mar 10, 2025
@joeribekker joeribekker added this to the Release 3.1.0 milestone Mar 10, 2025
@sergei-maertens sergei-maertens moved this from Todo to In Progress in Development Mar 13, 2025
sergei-maertens added a commit to maykinmedia/django-digid-eherkenning that referenced this issue Mar 13, 2025
@sergei-maertens
🧪 [open-formulieren/open-forms#5136] Add regression test for old cert…
41efbd2 
… being used

If a new certificate has been configured and the service catalogue is
being generated again, the expectation is that the next certificate
is included in the metadata rather than the current, because the
latter will (likely) soon expire.

Note that this assumption breaks if users prepare the next
certificate way ahead of time (e.g. it's ready one year
before the current certificate expires), but this seems
mostly a theoretical case since certificates appear to
be issued and then taken into production in a matter of
hours or days.
sergei-maertens added a commit to maykinmedia/django-digid-eherkenning that referenced this issue Mar 13, 2025
@sergei-maertens
🐛 [open-formulieren/open-forms#5136] Use next certificate in eh servi…
ecc1d12 
…ce catalog when it's available

If a next certificate is configured, scheduled to replace the
(expiring) current certificate, use that in favour of the
current certificate when genering the service catalogue
metadata.
@sergei-maertens sergei-maertens linked a pull request Mar 13, 2025 that will close this issue
Open
@sergei-maertens sergei-maertens moved this from In Progress to Implemented in Development Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sergei-maertens sergei-maertens

@LaurensBurger LaurensBurger

Labels
owner: dimpact
Projects
Development
Status: Implemented
Milestone
Release 3.1.0
Development

Successfully merging a pull request may close this issue.

Include "next" certificate in service catalogue metadata maykinmedia/django-digid-eherkenning
3 participants
@joeribekker @sergei-maertens @LaurensBurger