From 726ced923f54f0cd30b8f3303410e59ea7f1a1c3 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 1 Dec 2016 16:41:55 +0100
Subject: doc: document the fact that certificates and CRLs are unusable after
 generation

They must be exported and re-imported if intended to be used for
signing or verification.
---
 lib/x509/crl_write.c  | 9 +++++++++
 lib/x509/x509_write.c | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c
index 2cc1a75694..0d46835ad6 100644
--- a/lib/x509/crl_write.c
+++ b/lib/x509/crl_write.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2003-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2016 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -86,6 +87,10 @@ gnutls_x509_crl_set_version(gnutls_x509_crl_t crl, unsigned int version)
  * This must be the last step in a certificate CRL since all
  * the previously set parameters are now signed.
  *
+ * A known limitation of this function is, that a newly-signed CRL will not
+ * be fully functional (e.g., for signature verification), until it
+ * is exported an re-imported.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  *
@@ -455,6 +460,10 @@ gnutls_x509_crl_set_number(gnutls_x509_crl_t crl,
  * This must be the last step in a certificate CRL since all
  * the previously set parameters are now signed.
  *
+ * A known limitation of this function is, that a newly-signed CRL will not
+ * be fully functional (e.g., for signature verification), until it
+ * is exported an re-imported.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  *
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index c2293dac93..3e466bd102 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2016 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -1066,6 +1067,10 @@ gnutls_x509_crt_set_private_key_usage_period(gnutls_x509_crt_t crt,
  * This must be the last step in a certificate generation since all
  * the previously set parameters are now signed.
  *
+ * A known limitation of this function is, that a newly-signed certificate will not
+ * be fully functional (e.g., for signature verification), until it
+ * is exported an re-imported.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  **/
@@ -1714,6 +1719,10 @@ gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert,
  * This must be the last step in a certificate generation since all
  * the previously set parameters are now signed.
  *
+ * A known limitation of this function is, that a newly-signed certificate will not
+ * be fully functional (e.g., for signature verification), until it
+ * is exported an re-imported.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  **/
-- 
cgit v1.2.1