Bug 1305992
Summary: | Database upgrade script to add issuerName attribute to all cert entries | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.3 | CC: | arubin, edewata, ftweedal, gkapoor, mmuehlfe, rpattath |
Target Milestone: | rc | ||
Target Release: | 7.3 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.3.2-3.el7 | Doc Type: | Enhancement |
Doc Text: |
New "pki-server" subcommand to add the issuer DN to a certificate
An enhancement in the Certificate Server now stores the issuer DN in new certificate records and the REST API certificate search enables support for filtering certificates by the issuer DN. To add the issuer DN to existing certificate records, run:
# pki-server db-upgrade
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 05:23:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matthew Harmsen
2016-02-09 18:29:30 UTC
edewata fixed this: Fixed in master: f306058c4fb2f1e80e753b744a4d26eaa53a293f 8d239f0b5c01ec94075a52eec8d8f5485b172ffd Endi, Could you provide with steps to verify this bug? Fraser probably knows better, but I think basically it can be verified with these steps: 1. Create a CA with PKI 10.2.x packages. 2. Check the certificate records under ou=certificateRepository, ou=ca, SUFFIX in the DS. There should be entries without an issuerName attribute. 3. Upgrade the PKI packages to 10.3.x. 4. Run pki-server db-upgrade. 5. Check the certificate records in #2 again. They all should have an issuerName attribute now. See also: http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.2.x#Adding_issuerName_attribute Test Cases & Setup: ================== Before Db upgrade: --------------------- [root@cspki-vm1 yum.repos.d]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA" # extended LDIF # # LDAPv3 # base <ou=certificateRepository,ou=ca,o=pki-test-CA> with scope subtree # filter: (objectclass=*) # requesting: ALL # # certificateRepository, ca, pki-test-CA dn: ou=certificateRepository,ou=ca,o=pki-test-CA serialno: 011 ou: certificateRepository objectClass: top objectClass: repository nextRange: 10000001 # 1, certificateRepository, ca, pki-test-CA dn: cn=1,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 011 metaInfo: profileId:caCACert metaInfo: requestId:1 notBefore: 20160918211906Z notAfter: 20360918211906Z duration: 12631152000000 subjectName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqT9wbTZlKhprpa2lm8 R3b/IRCaywSrPAMdswwwhdzcwQ5id0lAUwbSE7VhDZYriyZOfZdO0DinMzAXzk9vFdyBgnh48rk4N SPSgMdWFQ3RR6V6cEjw4kdd0/bT9LmJqD6hOqOMsnXl86YLHg11YwnA/eSapYOYHo1Fvksga0ChVs qY8qe4lwmSAhAg7n3yYSGk83J9cVPLj/7LxDN+u1UvQSnaF6dewCpR6kS1IgSq8Km2ByVqCOgdTIH oM8NbHRXbprrCjjW41CLVmGsjX14uOwHhQ57mvkJXxAEs92m5bkUy7OCGTKlK9KJ+npLHErvVFie0 SrQ9/JNq2bDYUM8wIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.14 extension: 2.5.29.35 extension: 2.5.29.15 extension: 2.5.29.19;isCA=true,pathLen=-1 userCertificate;binary:: MIID0zCCArugAwIBAgIBATANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwNloXDTM2MDkxODE1NDkwNlowUTEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk/cG02ZSoaa 6WtpZvEd2/yEQmssEqzwDHbMMMIXc3MEOYndJQFMG0hO1YQ2WK4smTn2XTtA4pzMwF85PbxXcgYJ4 ePK5ODUj0oDHVhUN0UelenBI8OJHXdP20/S5iag+oTqjjLJ15fOmCx4NdWMJwP3kmqWDmB6NRb5LI GtAoVbKmPKnuJcJkgIQIO598mEhpPNyfXFTy4/+y8QzfrtVL0Ep2henXsAqUepEtSIEqvCptgclag joHUyB6DPDWx0V26a6wo41uNQi1ZhrI19eLjsB4UOe5r5CV8QBLPdpuW5FMuzghkypSvSifp6SxxK 71RYntEq0PfyTatmw2FDPMCAwEAAaOBtTCBsjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9Rkgdo72aw IcGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUleg+muZsU5g2w/U ZIHaO9msCHBgwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHRwOi8vY3Nwa2ktdm0xLmVu Z2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAJkjgpclF thPdkNAYRbJ2/uDcQtlS80d4HFdmTl0pawBeVGGtvUQVpAI4lS45pRji3Lj+1NFx4dYYKLJ3mBmD+ RyJnpnkvfAXpUT1tjRkVpt0BCopDcKw7anHFjgloaGnQ9YFwyQObucYXpPpH/KeTnaLIY91DR1e+t Q/ULy1CTaAi/G+EsNprIwDhU+dUahCngU5uf24i0veVD6QuZzeWzxHOcG7H23E7m+5LTk0ALrVNAB 0sz9x9h6XHYteXM6an8iWWJ+rqff3G+i3DrdOg5WOpYR1xzbvc6nq8Vr9K5Al97MdKi8xYE3dLgNr jukv+MaAswmPKVqc3Hi7Utwk8U= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211906Z dateOfModify: 20160918211906Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 1 # 2, certificateRepository, ca, pki-test-CA dn: cn=2,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 012 metaInfo: profileId:caOCSPCert metaInfo: requestId:2 notBefore: 20160918211909Z notAfter: 20180908211909Z duration: 1162208000000 subjectName: CN=CA OCSP Signing Certificate,O=englab.pnq.redhat.com Security D omain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftDYW01XV4HrUzMq 7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bnhZQ1ifAlE+jnm G6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCEi1snYPtW6yncz XeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0nEIrz/JTvRIh2J oimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+01B8bagkQVNndY S/7vlzhjwsaylMOQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowVjEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEkMCIGA1UEAwwbQ0EgT0NT UCBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftD YW01XV4HrUzMq7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bn hZQ1ifAlE+jnmG6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCE i1snYPtW6ynczXeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0n EIrz/JTvRIh2JoimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+0 1B8bagkQVNndYS/7vlzhjwsaylMOQIDAQABo4GaMIGXMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GS B2jvZrAhwYMA4GA1UdDwEB/wQEAwIBxjBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA 6Ly9jc3BraS12bTEuZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDATBgNVHSUEDDAK BggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAIZ5pKVEddQWSHME3wD+YqpgjCdB7Iv+7yHiVa gIVnfXJEml5QZutaWSOAtG0wYRrRz0lIDD76KVgrzdmHLT2iYn3dpyQIYbqC20l0xcCa3fHyTVRDj owQnCMUMEefOkP/UkL8EOm36ZOhhbV9Ycr1D/8I6tS7H66DIvs6GVi8xBaKfQmrARvs+tp6YEosqv CF0q3C6zqatL0Pl3KaiIcMJGCA5WqHgKZLR4fHhnm9QmoBmeYmWC0gLFKPCLRVrpmh/Zgq82Xt2wD Bl9cZ/hyaorMjZmRojzXAu+Ca1GoZOLrWo8hmKwjXm1tnycUoimhdX7s3/dBlSCptZDjKhyG6w== version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211909Z dateOfModify: 20160918211909Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 2 # 3, certificateRepository, ca, pki-test-CA dn: cn=3,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 013 metaInfo: profileId:caServerCert metaInfo: requestId:3 notBefore: 20160918211909Z notAfter: 20180908211909Z duration: 1162208000000 subjectName: CN=cspki-vm1.englab.pnq.redhat.com,O=englab.pnq.redhat.com Securi ty Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvywv3agfZCytf+XclW yyMkprYz1tYJ8P6FfOrHeeGw3THG9dugRLXgTac58XqVDNCGHYmf1vyhuQR3+Krukem3Smd0ed6aI GmkDtEnYZHFVVtuC9uPKDf8E7ktxZFLojv968PiuzQHhrYGZj83bB0YYNuqxdJjsiAVTlMug45r2U pRGcd7A8SOdTO7z7KFBWvsKzQRDlpKw/Oy+JwEKZ1ljTjkVAZwX+guXNKzycZcp0VLi5Bxfr+5ZFq rdCYemJzLN03Dt/IbajSwXFQNlvt/mvvlxEWCzm7fVV3gV7Am88dmdXPv/Ca90POTYMXiH+fCZPfQ yFR/nKEUwcxLXAUwIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowWjEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEoMCYGA1UEAwwfY3Nwa2kt dm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBA L8sL92oH2QsrX/l3JVssjJKa2M9bWCfD+hXzqx3nhsN0xxvXboES14E2nOfF6lQzQhh2Jn9b8obkE d/iq7pHpt0pndHnemiBppA7RJ2GRxVVbbgvbjyg3/BO5LcWRS6I7/evD4rs0B4a2BmY/N2wdGGDbq sXSY7IgFU5TLoOOa9lKURnHewPEjnUzu8+yhQVr7Cs0EQ5aSsPzsvicBCmdZY045FQGcF/oLlzSs8 nGXKdFS4uQcX6/uWRaq3QmHpicyzdNw7fyG2o0sFxUDZb7f5r75cRFgs5u31Vd4FewJvPHZnVz7/w mvdDzk2DF4h/nwmT30MhUf5yhFMHMS1wFMCAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBSV6D6a5mxTmD bD9Rkgdo72awIcGDBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly9jc3BraS12bTE uZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHe1Ih8zh0ntbbxTR9AzugAeTHgtcU3i4 EwBcQ0caMMylgQBQsPoXRmNUOyq6QPjyJMe4ulytjlhD7Rjy0yPGCvgkjhTPs7OV44xPOQwWqGWkz GZPIbpHy5NYpvCMw9rAuKoTZV59qSEfvgBN9io6GS2lVLGNvOZ4mI7PRsj2tq7jf0QcxJr8g2ukWl N3Em7fu9Ohr6IRcZTL3N7XRLRaiQy686w8cQgCiQKgILrzOmVdeNFcwc3201h8x5vKkQQbZjkGIJx Ym2jQ+QbmnNGSXhId9IjQfn8ZvPqDXdNShMcDWFNp6LRVG/75sjDBjQjq1O3tIsnIB/BrIOXaAmyG mU= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211909Z dateOfModify: 20160918211909Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 3 # 4, certificateRepository, ca, pki-test-CA dn: cn=4,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 014 metaInfo: profileId:caServerCert metaInfo: requestId:4 notBefore: 20160918211910Z notAfter: 20180908211910Z duration: 1162208000000 subjectName: CN=Subsystem Certificate,O=englab.pnq.redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb3cqu4 2WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3qovY/ jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQiFT3ZC XzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou5BjTu 5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+O0j8m 5wjutkY/Rr1Mvq1QIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMFoXDTE4MDkwODE1NDkxMFowUDEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEeMBwGA1UEAwwVU3Vic3lz dGVtIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb 3cqu42WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3 qovY/jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQi FT3ZCXzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou 5BjTu5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+ O0j8m5wjutkY/Rr1Mvq1QIDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAh wYME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5 xLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKiKUuXKM44jOgVG3bwYGfCxDjPRsgKBd xTcnKOca1RFFv3qo3TrMIT/r64FuwIcpWngZgDcTXgLJaqg/7IvwKK3SxpeFuVWHF+6jCPOby4L/j sQ9qhgEcsKmYv2rdZTN0Lu+1qYLlClAJZkeFCWgGsMPzlzmqr9+jckmIPiPhrDf1lJtauRDIhRvPq iuvkxVAGgY3uguEOWCAq9KRhegP+YIBugf7JpPIjiOoubrBbLtYn9kWUnLw1whNNkp0hfOtRM8icy gIL48IKoGennZw3DTMau78V1LpODkTzQeAeBeBwsyV0lhFYyEkNQ8ZOdfKWY9bUFFbcYNFI/LmpI2 lI= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211910Z dateOfModify: 20160918211910Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 4 # 5, certificateRepository, ca, pki-test-CA dn: cn=5,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 015 metaInfo: profileId:caSignedLogCert metaInfo: requestId:5 notBefore: 20160918211912Z notAfter: 20180908211912Z duration: 1162208000000 subjectName: CN=CA Audit Signing Certificate,O=englab.pnq.redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEd7vQHQZJnxDyF4cR IbkLQaX5xJmMb0oXxzEMq69UKN6ZOKkUA2JKjykDIP+as0XoOCpfkfUoZPOMQ5hbTJ7lCVgTfD29K lWfWTzzlPmRVePMmGSjAae0APxyhzkvpixtscZb069/XNTimwy13Gi+Og92PCpYAB/olcWOoRg4ja epZSq96bIvcs4qCAMAfMToznCl39WdBUCahUs37U1+68wIIRRIiqRSAnlBPneqYP9k9OcX69zXWrr tVfw8H5WT1fM39pos927w7Feg1jLKy0dbI7lHPKFiHXrS8Ws0Tqa6IEwsiK3TpnQsz9anAINtgN4q smzrmF8ACns2paoQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMloXDTE4MDkwODE1NDkxMlowVzEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjElMCMGA1UEAwwcQ0EgQXVk aXQgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRHe 70B0GSZ8Q8heHESG5C0Gl+cSZjG9KF8cxDKuvVCjemTipFANiSo8pAyD/mrNF6DgqX5H1KGTzjEOY W0ye5QlYE3w9vSpVn1k885T5kVXjzJhkowGntAD8coc5L6YsbbHGW9Ovf1zU4psMtdxovjoPdjwqW AAf6JXFjqEYOI2nqWUqvemyL3LOKggDAHzE6M5wpd/VnQVAmoVLN+1NfuvMCCEUSIqkUgJ5QT53qm D/ZPTnF+vc11q67VX8PB+Vk9XzN/aaLPdu8OxXoNYyystHWyO5RzyhYh160vFrNE6muiBMLIit06Z 0LM/WpwCDbYDeKrJs65hfAAp7NqWqECAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9R kgdo72awIcGDAOBgNVHQ8BAf8EBAMCBsAwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHR wOi8vY3Nwa2ktdm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN AQELBQADggEBAHt0LIJlX5z+V+jPjN8xi2dLmsBFsGm2uLptiRShh4gBqwH5iXiwDVN36NHv3k1Nh VZoqGGqNGoBttuNotptAd1lpIzgck4/O2mL5vYaaaSDghLr4iq0Y3IJamB4C+b/FIuLrg50t1RLa7 xd4soN/Zp7iD6pXviuubRXZtrK9GZZV449PaIrzczyvptDIQd0yzj7pJF0J02Lkz3dI1HrONoFOHf 2fb3vYNU9aLY3QBRg8lFO8UD+p1OQb+WzkuhPmaoFMvlV2tyxnWnXBWIO4SZStwtsgSiESENbk+fT LHr7vQMeMdo3MMyBkdv3pWqELKOnnmf6LuLUqxwkQ3W+sPE= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211912Z dateOfModify: 20160918211912Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 5 # 6, certificateRepository, ca, pki-test-CA dn: cn=6,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 016 metaInfo: profileId:caAdminCert metaInfo: requestId:6 notBefore: 20160918211914Z notAfter: 20180908211914Z duration: 1162208000000 subjectName: CN=PKI Administrator,E=caadmin.redhat.com,O=englab.pnq .redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2Kuh AeWOQFCARuLAFpSHNubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoU GbJW4tknsKnXF3kemSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCF U5kZvSY7wTotuOk59PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bn DFn5tHzG++A9gNPa52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9H YUP1d0I/+Jc17SaQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIID6zCCAtOgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxNFoXDTE4MDkwODE1NDkxNFowejEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEsMCoGCSqGSIb3DQEJARYd Y2FhZG1pbkBlbmdsYWIucG5xLnJlZGhhdC5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yM IIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2KuhAeWOQFCARuLAFpSH NubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoUGbJW4tknsKnXF3ke mSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCFU5kZvSY7wTotuOk5 9PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bnDFn5tHzG++A9gNPa 52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9HYUP1d0I/+Jc17SaQ IDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAhwYME8GCCsGAQUFBwEBBEM wQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5xLnJlZGhhdC5jb206ODA4 MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwD QYJKoZIhvcNAQELBQADggEBAAiST8ttMd9hokgOBgpFqTXP7TrboM9W54ZgE7BuSWo+dO1Rb4534Y 5G9XX6ZIli5BK3SZLyNBNor4wGSH5qxHwMpay0lC0i2SaDXMPEG0u2VBmY8MWrDman/b2H5Tz4oz4 N23TGirCKXxPL2p2i9zzQ3Sx3Um5kBBCiEgiF5zX91IFeutveWaqQfRyL/I3UvBXuL828tXpRG4IB 8D6bdbc+SnSVibb82IkwFoMBfY+egTMZSAL8p7yNJdFYq1BFnXwDoTsYQrL4PciYdUPEzMmbeNtUT rYTk4kVsPUFpJFbdDfT4JIBIafZfDM0BpvJOVlLoQRIbHQr3+c4eSuP7fI= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211914Z dateOfModify: 20160918211914Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 6 # search result search: 2 result: 0 Success # numResponses: 8 # numEntries: 7 2. Stop CA instance and try to migrate from pki-ca 10.2.x to pki-ca 10.3.x. Installed Packages pki-ca.noarch 10.2.5-6.el7 @rhel72 Available Packages pki-ca.noarch 10.3.3-9.el7 RHEL_7.3 3. Check ca debug logs to make sure it started. 4. Chcek all connectivity is up with db. 5. run pki-server db-upgrade [root@cspki-vm1 ca]# pki-server -v db-upgrade -i pki-test Command: db-upgrade -i pki-test ---------------- Upgrade complete ---------------- 6. Check in ldap if a new entry exist for issuerName. [root@cspki-vm1 ca]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA" # extended LDIF # # LDAPv3 # base <ou=certificateRepository,ou=ca,o=pki-test-CA> with scope subtree # filter: (objectclass=*) # requesting: ALL # # certificateRepository, ca, pki-test-CA dn: ou=certificateRepository,ou=ca,o=pki-test-CA serialno: 011 ou: certificateRepository objectClass: top objectClass: repository nextRange: 10000001 # 1, certificateRepository, ca, pki-test-CA dn: cn=1,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 011 metaInfo: profileId:caCACert metaInfo: requestId:1 notBefore: 20160918211906Z notAfter: 20360918211906Z duration: 12631152000000 subjectName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqT9wbTZlKhprpa2lm8 R3b/IRCaywSrPAMdswwwhdzcwQ5id0lAUwbSE7VhDZYriyZOfZdO0DinMzAXzk9vFdyBgnh48rk4N SPSgMdWFQ3RR6V6cEjw4kdd0/bT9LmJqD6hOqOMsnXl86YLHg11YwnA/eSapYOYHo1Fvksga0ChVs qY8qe4lwmSAhAg7n3yYSGk83J9cVPLj/7LxDN+u1UvQSnaF6dewCpR6kS1IgSq8Km2ByVqCOgdTIH oM8NbHRXbprrCjjW41CLVmGsjX14uOwHhQ57mvkJXxAEs92m5bkUy7OCGTKlK9KJ+npLHErvVFie0 SrQ9/JNq2bDYUM8wIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.14 extension: 2.5.29.35 extension: 2.5.29.15 extension: 2.5.29.19;isCA=true,pathLen=-1 userCertificate;binary:: MIID0zCCArugAwIBAgIBATANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwNloXDTM2MDkxODE1NDkwNlowUTEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk/cG02ZSoaa 6WtpZvEd2/yEQmssEqzwDHbMMMIXc3MEOYndJQFMG0hO1YQ2WK4smTn2XTtA4pzMwF85PbxXcgYJ4 ePK5ODUj0oDHVhUN0UelenBI8OJHXdP20/S5iag+oTqjjLJ15fOmCx4NdWMJwP3kmqWDmB6NRb5LI GtAoVbKmPKnuJcJkgIQIO598mEhpPNyfXFTy4/+y8QzfrtVL0Ep2henXsAqUepEtSIEqvCptgclag joHUyB6DPDWx0V26a6wo41uNQi1ZhrI19eLjsB4UOe5r5CV8QBLPdpuW5FMuzghkypSvSifp6SxxK 71RYntEq0PfyTatmw2FDPMCAwEAAaOBtTCBsjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9Rkgdo72aw IcGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUleg+muZsU5g2w/U ZIHaO9msCHBgwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHRwOi8vY3Nwa2ktdm0xLmVu Z2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAJkjgpclF thPdkNAYRbJ2/uDcQtlS80d4HFdmTl0pawBeVGGtvUQVpAI4lS45pRji3Lj+1NFx4dYYKLJ3mBmD+ RyJnpnkvfAXpUT1tjRkVpt0BCopDcKw7anHFjgloaGnQ9YFwyQObucYXpPpH/KeTnaLIY91DR1e+t Q/ULy1CTaAi/G+EsNprIwDhU+dUahCngU5uf24i0veVD6QuZzeWzxHOcG7H23E7m+5LTk0ALrVNAB 0sz9x9h6XHYteXM6an8iWWJ+rqff3G+i3DrdOg5WOpYR1xzbvc6nq8Vr9K5Al97MdKi8xYE3dLgNr jukv+MaAswmPKVqc3Hi7Utwk8U= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211906Z dateOfModify: 20160918211906Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 1 issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain # 2, certificateRepository, ca, pki-test-CA dn: cn=2,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 012 metaInfo: profileId:caOCSPCert metaInfo: requestId:2 notBefore: 20160918211909Z notAfter: 20180908211909Z duration: 1162208000000 subjectName: CN=CA OCSP Signing Certificate,O=englab.pnq.redhat.com Security D omain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftDYW01XV4HrUzMq 7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bnhZQ1ifAlE+jnm G6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCEi1snYPtW6yncz XeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0nEIrz/JTvRIh2J oimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+01B8bagkQVNndY S/7vlzhjwsaylMOQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowVjEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEkMCIGA1UEAwwbQ0EgT0NT UCBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftD YW01XV4HrUzMq7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bn hZQ1ifAlE+jnmG6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCE i1snYPtW6ynczXeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0n EIrz/JTvRIh2JoimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+0 1B8bagkQVNndYS/7vlzhjwsaylMOQIDAQABo4GaMIGXMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GS B2jvZrAhwYMA4GA1UdDwEB/wQEAwIBxjBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA 6Ly9jc3BraS12bTEuZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDATBgNVHSUEDDAK BggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAIZ5pKVEddQWSHME3wD+YqpgjCdB7Iv+7yHiVa gIVnfXJEml5QZutaWSOAtG0wYRrRz0lIDD76KVgrzdmHLT2iYn3dpyQIYbqC20l0xcCa3fHyTVRDj owQnCMUMEefOkP/UkL8EOm36ZOhhbV9Ycr1D/8I6tS7H66DIvs6GVi8xBaKfQmrARvs+tp6YEosqv CF0q3C6zqatL0Pl3KaiIcMJGCA5WqHgKZLR4fHhnm9QmoBmeYmWC0gLFKPCLRVrpmh/Zgq82Xt2wD Bl9cZ/hyaorMjZmRojzXAu+Ca1GoZOLrWo8hmKwjXm1tnycUoimhdX7s3/dBlSCptZDjKhyG6w== version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211909Z dateOfModify: 20160918211909Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 2 issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain # 3, certificateRepository, ca, pki-test-CA dn: cn=3,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 013 metaInfo: profileId:caServerCert metaInfo: requestId:3 notBefore: 20160918211909Z notAfter: 20180908211909Z duration: 1162208000000 subjectName: CN=cspki-vm1.englab.pnq.redhat.com,O=englab.pnq.redhat.com Securi ty Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvywv3agfZCytf+XclW yyMkprYz1tYJ8P6FfOrHeeGw3THG9dugRLXgTac58XqVDNCGHYmf1vyhuQR3+Krukem3Smd0ed6aI GmkDtEnYZHFVVtuC9uPKDf8E7ktxZFLojv968PiuzQHhrYGZj83bB0YYNuqxdJjsiAVTlMug45r2U pRGcd7A8SOdTO7z7KFBWvsKzQRDlpKw/Oy+JwEKZ1ljTjkVAZwX+guXNKzycZcp0VLi5Bxfr+5ZFq rdCYemJzLN03Dt/IbajSwXFQNlvt/mvvlxEWCzm7fVV3gV7Am88dmdXPv/Ca90POTYMXiH+fCZPfQ yFR/nKEUwcxLXAUwIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowWjEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEoMCYGA1UEAwwfY3Nwa2kt dm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBA L8sL92oH2QsrX/l3JVssjJKa2M9bWCfD+hXzqx3nhsN0xxvXboES14E2nOfF6lQzQhh2Jn9b8obkE d/iq7pHpt0pndHnemiBppA7RJ2GRxVVbbgvbjyg3/BO5LcWRS6I7/evD4rs0B4a2BmY/N2wdGGDbq sXSY7IgFU5TLoOOa9lKURnHewPEjnUzu8+yhQVr7Cs0EQ5aSsPzsvicBCmdZY045FQGcF/oLlzSs8 nGXKdFS4uQcX6/uWRaq3QmHpicyzdNw7fyG2o0sFxUDZb7f5r75cRFgs5u31Vd4FewJvPHZnVz7/w mvdDzk2DF4h/nwmT30MhUf5yhFMHMS1wFMCAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBSV6D6a5mxTmD bD9Rkgdo72awIcGDBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly9jc3BraS12bTE uZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHe1Ih8zh0ntbbxTR9AzugAeTHgtcU3i4 EwBcQ0caMMylgQBQsPoXRmNUOyq6QPjyJMe4ulytjlhD7Rjy0yPGCvgkjhTPs7OV44xPOQwWqGWkz GZPIbpHy5NYpvCMw9rAuKoTZV59qSEfvgBN9io6GS2lVLGNvOZ4mI7PRsj2tq7jf0QcxJr8g2ukWl N3Em7fu9Ohr6IRcZTL3N7XRLRaiQy686w8cQgCiQKgILrzOmVdeNFcwc3201h8x5vKkQQbZjkGIJx Ym2jQ+QbmnNGSXhId9IjQfn8ZvPqDXdNShMcDWFNp6LRVG/75sjDBjQjq1O3tIsnIB/BrIOXaAmyG mU= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211909Z dateOfModify: 20160918211909Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 3 issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain # 4, certificateRepository, ca, pki-test-CA dn: cn=4,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 014 metaInfo: profileId:caServerCert metaInfo: requestId:4 notBefore: 20160918211910Z notAfter: 20180908211910Z duration: 1162208000000 subjectName: CN=Subsystem Certificate,O=englab.pnq.redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb3cqu4 2WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3qovY/ jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQiFT3ZC XzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou5BjTu 5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+O0j8m 5wjutkY/Rr1Mvq1QIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMFoXDTE4MDkwODE1NDkxMFowUDEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEeMBwGA1UEAwwVU3Vic3lz dGVtIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb 3cqu42WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3 qovY/jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQi FT3ZCXzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou 5BjTu5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+ O0j8m5wjutkY/Rr1Mvq1QIDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAh wYME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5 xLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKiKUuXKM44jOgVG3bwYGfCxDjPRsgKBd xTcnKOca1RFFv3qo3TrMIT/r64FuwIcpWngZgDcTXgLJaqg/7IvwKK3SxpeFuVWHF+6jCPOby4L/j sQ9qhgEcsKmYv2rdZTN0Lu+1qYLlClAJZkeFCWgGsMPzlzmqr9+jckmIPiPhrDf1lJtauRDIhRvPq iuvkxVAGgY3uguEOWCAq9KRhegP+YIBugf7JpPIjiOoubrBbLtYn9kWUnLw1whNNkp0hfOtRM8icy gIL48IKoGennZw3DTMau78V1LpODkTzQeAeBeBwsyV0lhFYyEkNQ8ZOdfKWY9bUFFbcYNFI/LmpI2 lI= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211910Z dateOfModify: 20160918211910Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 4 issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain # 5, certificateRepository, ca, pki-test-CA dn: cn=5,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 015 metaInfo: profileId:caSignedLogCert metaInfo: requestId:5 notBefore: 20160918211912Z notAfter: 20180908211912Z duration: 1162208000000 subjectName: CN=CA Audit Signing Certificate,O=englab.pnq.redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEd7vQHQZJnxDyF4cR IbkLQaX5xJmMb0oXxzEMq69UKN6ZOKkUA2JKjykDIP+as0XoOCpfkfUoZPOMQ5hbTJ7lCVgTfD29K lWfWTzzlPmRVePMmGSjAae0APxyhzkvpixtscZb069/XNTimwy13Gi+Og92PCpYAB/olcWOoRg4ja epZSq96bIvcs4qCAMAfMToznCl39WdBUCahUs37U1+68wIIRRIiqRSAnlBPneqYP9k9OcX69zXWrr tVfw8H5WT1fM39pos927w7Feg1jLKy0dbI7lHPKFiHXrS8Ws0Tqa6IEwsiK3TpnQsz9anAINtgN4q smzrmF8ACns2paoQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMloXDTE4MDkwODE1NDkxMlowVzEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjElMCMGA1UEAwwcQ0EgQXVk aXQgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRHe 70B0GSZ8Q8heHESG5C0Gl+cSZjG9KF8cxDKuvVCjemTipFANiSo8pAyD/mrNF6DgqX5H1KGTzjEOY W0ye5QlYE3w9vSpVn1k885T5kVXjzJhkowGntAD8coc5L6YsbbHGW9Ovf1zU4psMtdxovjoPdjwqW AAf6JXFjqEYOI2nqWUqvemyL3LOKggDAHzE6M5wpd/VnQVAmoVLN+1NfuvMCCEUSIqkUgJ5QT53qm D/ZPTnF+vc11q67VX8PB+Vk9XzN/aaLPdu8OxXoNYyystHWyO5RzyhYh160vFrNE6muiBMLIit06Z 0LM/WpwCDbYDeKrJs65hfAAp7NqWqECAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9R kgdo72awIcGDAOBgNVHQ8BAf8EBAMCBsAwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHR wOi8vY3Nwa2ktdm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN AQELBQADggEBAHt0LIJlX5z+V+jPjN8xi2dLmsBFsGm2uLptiRShh4gBqwH5iXiwDVN36NHv3k1Nh VZoqGGqNGoBttuNotptAd1lpIzgck4/O2mL5vYaaaSDghLr4iq0Y3IJamB4C+b/FIuLrg50t1RLa7 xd4soN/Zp7iD6pXviuubRXZtrK9GZZV449PaIrzczyvptDIQd0yzj7pJF0J02Lkz3dI1HrONoFOHf 2fb3vYNU9aLY3QBRg8lFO8UD+p1OQb+WzkuhPmaoFMvlV2tyxnWnXBWIO4SZStwtsgSiESENbk+fT LHr7vQMeMdo3MMyBkdv3pWqELKOnnmf6LuLUqxwkQ3W+sPE= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211912Z dateOfModify: 20160918211912Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 5 issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain # 6, certificateRepository, ca, pki-test-CA dn: cn=6,ou=certificateRepository,ou=ca,o=pki-test-CA objectClass: top objectClass: certificateRecord serialno: 016 metaInfo: profileId:caAdminCert metaInfo: requestId:6 notBefore: 20160918211914Z notAfter: 20180908211914Z duration: 1162208000000 subjectName: CN=PKI Administrator,E=caadmin.redhat.com,O=englab.pnq .redhat.com Security Domain publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2Kuh AeWOQFCARuLAFpSHNubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoU GbJW4tknsKnXF3kemSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCF U5kZvSY7wTotuOk59PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bn DFn5tHzG++A9gNPa52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9H YUP1d0I/+Jc17SaQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIID6zCCAtOgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxNFoXDTE4MDkwODE1NDkxNFowejEuMCwGA1U ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEsMCoGCSqGSIb3DQEJARYd Y2FhZG1pbkBlbmdsYWIucG5xLnJlZGhhdC5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yM IIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2KuhAeWOQFCARuLAFpSH NubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoUGbJW4tknsKnXF3ke mSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCFU5kZvSY7wTotuOk5 9PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bnDFn5tHzG++A9gNPa 52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9HYUP1d0I/+Jc17SaQ IDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAhwYME8GCCsGAQUFBwEBBEM wQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5xLnJlZGhhdC5jb206ODA4 MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwD QYJKoZIhvcNAQELBQADggEBAAiST8ttMd9hokgOBgpFqTXP7TrboM9W54ZgE7BuSWo+dO1Rb4534Y 5G9XX6ZIli5BK3SZLyNBNor4wGSH5qxHwMpay0lC0i2SaDXMPEG0u2VBmY8MWrDman/b2H5Tz4oz4 N23TGirCKXxPL2p2i9zzQ3Sx3Um5kBBCiEgiF5zX91IFeutveWaqQfRyL/I3UvBXuL828tXpRG4IB 8D6bdbc+SnSVibb82IkwFoMBfY+egTMZSAL8p7yNJdFYq1BFnXwDoTsYQrL4PciYdUPEzMmbeNtUT rYTk4kVsPUFpJFbdDfT4JIBIafZfDM0BpvJOVlLoQRIbHQr3+c4eSuP7fI= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20160918211914Z dateOfModify: 20160918211914Z certStatus: VALID autoRenew: ENABLED issuedBy: system cn: 6 issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain # search result search: 2 result: 0 Success # numResponses: 8 # numEntries: 7 6. Verify all the 6 certs have new attribute "issureName" added with correct IssuerName [root@cspki-vm1 ca]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA" | grep issuerName issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain Test Case 1: To verify that new attribute "issureName" gets added. [root@cspki-vm1 ca]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA" | grep issuerName issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain Test Case 2: Add a new cert in the ldap without a issuerName.Do an db-update and see if the attribute is getting added when a usercert has different IssuerName. issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain issuerName: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarma Test Case 3: Add an LDAP entry and "UserCertificate" is incorrect and doesn't have a correct issuerNAme . Verified that pki-server db-update fails with the exception. File "/usr/lib/python2.7/site-packages/pki/server/cli/db.py", line 226, in add_issuer_name cert = nss.Certificate(bytearray(attr_cert[0])) NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. ERROR: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. Hello, I have added above mentioned test cases.I think this testing is only for CA subsystem. Thanks Geetika Could you please clarify if this testing needs to done for other subsystems like KRA,OCSP,TKS and TPS? I have tested for CA only. I think this bug has already been verified in comment #5 or test case 1 in comment #6. I'm not sure about the expected result for test case 3. If it's a problem please open a separate bug. Since certificate records only exist in CA, this test does not need to be executed on other subsystems. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |