Bug 1466043
| Summary: | Cert validity check is invalid when system date changes | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
| Status: | CLOSED NOTABUG | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | enewland |
| Target Milestone: | rc | Keywords: | GSSTriaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-15 16:00:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6 ftweedal wrote: Per discussion with Ade, closing this INVALID. If it actually breaks something please reopen and provide more info. |
The cert VALIDITY from CA database is printed when the command pki ca-cert-find is executed. When the system date passes the validity range and then when system date is changed back within the validity range, the cert's validity is set as EXPIRED even though it is still valid. STEPS TO REPRODUCE: Check system date and validity of a certificate Set system date to a date beyond the expiry date Restart PKI instance Check validity through pki ca-cert-find. The certificate should be listed as EXPIRED. Change back the system date and restart PKI server Check validity through pki ca-cert-find. The certificate is still listed as EXPIRED. EXPECTED: The certificate's validity should be checked against local date and so the certificate should be changed to VALID. LOG: All Certificate are VALID but are listed as EXPIRED [root@localhost pki-config]# pki ca-cert-find --------------- 8 entries found --------------- Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: VALID Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jun 27 12:52:20 EDT 2014 Not Valid After: Tue Jun 27 12:52:20 EDT 2034 Issued On: Fri Jun 27 12:52:20 EDT 2014 Issued By: system Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: EXPIRED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jun 27 12:52:20 EDT 2014 Not Valid After: Thu Jun 16 12:52:20 EDT 2016 Issued On: Fri Jun 27 12:52:20 EDT 2014 Issued By: system Serial Number: 0x3 Subject DN: CN=localhost.localdomain,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: EXPIRED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jun 27 12:52:20 EDT 2014 Not Valid After: Thu Jun 16 12:52:20 EDT 2016 Issued On: Fri Jun 27 12:52:20 EDT 2014 Issued By: system Serial Number: 0x4 Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: EXPIRED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jun 27 12:52:20 EDT 2014 Not Valid After: Thu Jun 16 12:52:20 EDT 2016 Issued On: Fri Jun 27 12:52:20 EDT 2014 Issued By: system Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: EXPIRED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jun 27 12:52:20 EDT 2014 Not Valid After: Thu Jun 16 12:52:20 EDT 2016 Issued On: Fri Jun 27 12:52:20 EDT 2014 Issued By: system Serial Number: 0x6 Subject DN: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: EXPIRED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Jun 27 12:52:21 EDT 2014 Not Valid After: Thu Jun 16 12:52:21 EDT 2016 Issued On: Fri Jun 27 12:52:21 EDT 2014 Issued By: system Serial Number: 0x7 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: EXPIRED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Sun Jun 28 17:41:26 EDT 2015 Not Valid After: Sat Jun 17 17:41:26 EDT 2017 Issued On: Sun Jun 28 18:14:09 EDT 2015 Issued By: caadmin Serial Number: 0x8 Subject DN: CN=localhost.localdomain,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: VALID Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Fri Aug 28 10:26:24 EDT 2015 Not Valid After: Thu Jul 27 10:26:24 EDT 2017 Issued On: Sun Jun 28 10:41:12 EDT 2015 Issued By: caadmin ---------------------------- Number of entries returned 8 ---------------------------- [root@localhost pki-config]# date Thu Feb 25 11:05:29 EST 2016 See also this ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1462308 The cert status in the cert record might be used for CRL generation.