Bug 1413616

Summary: Expiring /CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007 certifi
Product: Red Hat Enterprise Linux 6 Reporter: Hubert Kario <hkario>
Component: ca-certificatesAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-31 13:33:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hubert Kario 2017-01-16 14:24:18 UTC
This is just a tracking bug, unless the CA in question requests or has 
requested upstream for an inclusion of refreshed certificate, it does not 
require any action at this point.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=Ankara, O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007
        Validity
            Not Before: Dec 25 18:37:19 2007 GMT
            Not After : Dec 22 18:37:19 2017 GMT
        Subject: CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=Ankara, O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:b7:3e:0a:8c:c8:a5:58:15:e6:8a:ef:27:3d:
                    4a:b4:e8:25:d3:cd:33:c2:20:dc:19:ee:88:3f:4d:
                    62:f0:dd:13:77:8f:61:a9:2a:b5:d4:f2:b9:31:58:
                    29:3b:2f:3f:6a:9c:6f:73:76:25:ee:34:20:80:ee:
                    ea:b7:f0:c4:0a:cd:2b:86:94:c9:e3:60:b1:44:52:
                    b2:5a:29:b4:91:97:83:d8:b7:a6:14:2f:29:49:a2:
                    f3:05:06:fb:b4:4f:da:a1:6c:9a:66:9f:f0:43:09:
                    ca:ea:72:8f:eb:00:d7:35:39:d7:56:17:47:17:30:
                    f4:be:bf:3f:c2:68:af:36:40:c1:a9:f4:a9:a7:e8:
                    10:6b:08:8a:f7:86:1e:dc:9a:2a:15:06:f6:a3:f0:
                    f4:e0:c7:14:d4:51:7f:cf:b4:db:6d:af:47:96:17:
                    9b:77:71:d8:a7:71:9d:24:0c:f6:94:3f:85:31:12:
                    4f:ba:ee:4e:82:b8:b9:3e:8f:23:37:5e:cc:a2:aa:
                    75:f7:18:6f:09:d3:ae:a7:54:28:34:fb:e1:e0:3b:
                    60:7d:a0:be:79:89:86:c8:9f:2d:f9:0a:4b:c4:50:
                    a2:e7:fd:79:16:c7:7a:0b:18:cf:ce:4c:ef:7d:d6:
                    07:6f:98:f1:af:b1:c1:7a:d7:81:35:b8:aa:17:b4:
                    e0:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                29:C5:90:AB:25:AF:11:E4:61:BF:A3:FF:88:61:91:E6:0E:FE:9C:81
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         10:0d:da:f8:3a:ec:28:d1:14:95:82:b1:12:2c:51:7a:41:25:
         36:4c:9f:ec:3f:1f:84:9d:65:54:5c:a8:16:02:40:fa:6e:1a:
         37:84:ef:72:9d:86:0a:55:9d:56:28:ac:66:2c:d0:3a:56:93:
         34:07:25:ad:08:b0:8f:c8:0f:09:59:ca:9d:98:1c:e5:54:f8:
         b9:45:7f:6a:97:6f:88:68:4d:4a:06:26:37:88:02:0e:b6:c6:
         d6:72:99:ce:6b:77:da:62:31:a4:56:1f:ae:5f:8d:77:da:5d:
         f6:88:fc:1a:d9:9e:b5:81:f0:32:b8:e3:88:d0:9c:f3:6a:a0:
         b9:9b:14:59:35:36:4f:cf:f3:8e:5e:5d:17:ad:15:95:d8:dd:
         b2:d5:15:6e:00:4e:b3:4b:cf:66:94:e4:e0:cd:b5:05:da:63:
         57:8b:e5:b3:aa:db:c0:2e:1c:90:44:db:1a:5d:18:a4:ee:be:
         04:5b:99:d5:71:5f:55:65:64:62:d5:a2:9b:04:59:86:c8:62:
         77:e7:7c:82:45:6a:3d:17:bf:ec:9d:75:0c:ae:a3:6f:5a:d3:
         2f:98:36:f4:f0:f5:19:ab:11:5d:c8:a6:e3:2a:58:6a:42:09:
         c3:bd:92:26:66:32:0d:5d:08:55:74:ff:8c:98:d0:0a:a6:84:
         6a:d1:39:7d

sha256 fingerprint: 978cd966f2faa07ba7aa9500d9c02e9d77f2cdada6ad6ba74af4b91c66593c50

Comment 1 Kai Engert (:kaie) (inactive account) 2017-08-31 13:33:15 UTC
I'm declaring this bug unnecessary. I suggest to stop filing such bugs in the future.

The only reason we have started to file them was an exceptional issue in the past, which hasn't ever occurred again, when a CA created an emergency refresh of a root certificate with the same key and extended validity.

The package maintainer of the ca-certificates package must carefully watch all new releases of the upstream release for such occurrences, which shall be sufficient to detect if urgent action for RHEL is necessary.

The fact that this bug has been filed doesn't help, as it would require to constantly "poll" for new upstream changes affecting this CA. This is unrealistic.

We need a "push" notification, made by the package maintainer, by watching upstream changes.