For one, apply more rules from CA/B forum. This includes including KU and EKU extensions, marking basicConstraints critical, and
randomized serial numbers.
Also make the backdate and end date configurable, to allow
for the BMC certs to have a more palatable validity interval.
Begin expanding certutil to sign other certificates from external CSRs more easily.
Have certutil make the CA constraint critical.
Have the fingerprint based validator have a mechanism to check for properly signed certificate in lieu of exact match,
and update the stored fingerprint
on match.
Provide a means to request a custom subject when evaluating a
target.
Change redfish plugin to set that subject in the verifier.
Some OS deployment mechanism may wish to convey the identity information more loosely. For those, it's convenient if the files are loose instead
of needing extraction from a VFAT image.
Recognize BFB embedded OS as a potential osdeploy target.
This is toward the end of identifying the appropriate 'addons.cpio' for setting up for a bf.cfg driven bfb install.
For now, it is disabled until companion os category exists.
Apart frem the gc_thresh indirect check, perform other checks.
For now, just highlight that tcp_sack being disabled can really
mess with BMC connections. Since the management node may have high speed and the BMC may be behind a 100MBit link, SACK
is needed to overcome the massive loss and
induce TCP to rate limit appropriately.
Some platforms can have a very slow category,
like disks. Give CLI a way to ask for the desired
categories and a chance to optimize away the uninteresting.
Samba by default needs executable bit on files for them to be executable by windows.
Only give executable bits to .exe files that are PE32, mitigating the chance the executable bit could mean anything for Linux.
It could still mean something with binfmt misc hooks, but that shouldn't be done much.
If an XCC is booting, it may appear before it's ready to use redfish to manage user accounts. Handle this by delaying the discovery until
the service is ready.
Provide checks for nginx config and apache configuration, perhaps even concurrently.
Latch on the first match, since we are taking care of IP based SANs and subsequent server/virtualhost sections are irrelevant.
Latch onto a chain file, if indicated in the apache configuration, placing our CA in the chain.
For nginx, put our CA in the cert, since nginx
uses the 'certificate' file as the chain.
In this scenario, a cross-signed CA cert is possible.
Cache the directory list over a few seconds
to avoid excessive filesystem calls.
Also switchg to a more potent regex to avoid wasting time on timestamped files.
