Bug 1466894

Summary: update-ca-trust for Java doesn't handle self-signed certificates without CA extension
Product: Red Hat Enterprise Linux 7 Reporter: Chris Dolphy <cdolphy>
Component: ca-certificatesAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-30 17:19:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Dolphy 2017-06-30 17:03:21 UTC 
Description of problem:
update-ca-trust only uses CA certs (certificate with the CA extentions set) but for development our customer's use self-signed certs which then are ignored by update-ca-trust.

For pre-production software development, self-signed certificates are often used instead of CA signed certificates.  Clients of the services using these certificates need to trust them and when trying to use them are ignored by update-ca-trust.  When keytool is used to generate the certificate, it will not set the CA flag unless specifically instructed, so this is an issue that is encountered frequently.

To summarize:
1) can't use keytool because update-ca-trust overwrites it
2) can't use update-ca-trust because it ignores their certificates
3) can't (easily) change certificate because it is from a 3rd party server certificate in a test environment

Version-Release number of selected component (if applicable):
Any

How reproducible:
Easy

Steps to Reproduce:
1. generate a self signed certificate with java's keytool:
keytool -genkey -alias example -keyalg RSA -keystore keystore.jks -keysize 2048 -dname cn=example.com
2. extract cert to pem:
keytool -export -alias example -file example.crt -keystore keystore.jks
3. copy cert to /etc/pki/ca-trust/source/
cp example.crt /etc/pki/ca-trust/source/
4. run update-ca-trust
5. check for certificate in cacerts:
 keytool -list -keystore /etc/pki/java/cacerts -storepass changeit

Actual results:
New certificate not in cacerts:


Expected results:
Certificate in cacerts!

Additional info:
Changing filter in update-ca-certs for java fixes this.

from 
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
to
/usr/bin/p11-kit extract --format=java-cacerts --filter=certificates --overwrite --purpose server-auth $DEST/java/cacerts

However, other options may be a better fix.