Config to change algo to ECC during reissue

This commit is contained in:
sayali 2021-01-05 18:13:09 -08:00
parent 9657098514
commit 8f16402c0a
1 changed files with 9 additions and 0 deletions

View File

@ -795,6 +795,15 @@ def reissue_certificate(certificate, replace=None, user=None):
else:
primitives["description"] = f"{reissue_message_prefix}{certificate.id}"
# Rotate the certificate to ECCPRIME256V1 if cert owner is present in the configured list
# This is a temporary change intending to rotate certificates to ECC, if opted in by certificate owners
# Unless identified a use case, this will be removed in mid-Q2 2021
ecc_reissue_owner_list = current_app.config.get("ROTATE_TO_ECC_OWNER_LIST", [])
ecc_reissue_exclude_cn_list = current_app.config.get("ECC_NON_COMPATIBLE_COMMON_NAMES", [])
if (certificate.owner in ecc_reissue_owner_list) and (certificate.cn not in ecc_reissue_exclude_cn_list):
primitives["key_type"] = "ECCPRIME256V1"
new_cert = create(**primitives)
return new_cert