From 8f16402c0a4cbab85c447697db2d858becccc47b Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 5 Jan 2021 18:13:09 -0800 Subject: [PATCH] Config to change algo to ECC during reissue --- lemur/certificates/service.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index b22090b6..5999760f 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -795,6 +795,15 @@ def reissue_certificate(certificate, replace=None, user=None): else: primitives["description"] = f"{reissue_message_prefix}{certificate.id}" + # Rotate the certificate to ECCPRIME256V1 if cert owner is present in the configured list + # This is a temporary change intending to rotate certificates to ECC, if opted in by certificate owners + # Unless identified a use case, this will be removed in mid-Q2 2021 + ecc_reissue_owner_list = current_app.config.get("ROTATE_TO_ECC_OWNER_LIST", []) + ecc_reissue_exclude_cn_list = current_app.config.get("ECC_NON_COMPATIBLE_COMMON_NAMES", []) + + if (certificate.owner in ecc_reissue_owner_list) and (certificate.cn not in ecc_reissue_exclude_cn_list): + primitives["key_type"] = "ECCPRIME256V1" + new_cert = create(**primitives) return new_cert