Unnecessary creation of signed certificate.

Question

Unnecessary creation of signed certificate.

whitingjr opened this issue 5 years ago · 3 comments

whitingjr commented 5 years ago

The code that generates a signed certificate for a host is doing some unnecessary work.

The CertUtils object is creating 2 certificates. Each signed by the issuer private key.
Double certificate creation

It will be good if this code can be made more efficient. Ideally only creating one signed certificate.

It will help reduce the risk of executor threads timing out and blocking. As seen in #1521

Answer 1 · 2020-02-22T04:04:15.000Z

I thought generateX509Certificate is to create the cert and the following method to sign it. I might have been wrong. Anyway, we just need one signed cert.

Answer 2 · 2020-03-02T19:34:48.000Z

Well the model in this BC book sample is to create a chain with root, intermediate and end entry certificates.
It appears the existing code is creating 3 certificates. Not quite identical to the above chain.
I suggest we only need 2. A root and end certificate. With the end certificate getting signed by the root.

Answer 3 · 2020-03-12T11:11:43.000Z

A PR #1527 was created to implement this optimization. But due to a necessary change in the workflow it has been abandoned.