Bug 1691417

Summary: [RFE] update ca-certificates RPM on RHEL 7
Product: Red Hat Enterprise Linux 7 Reporter: wclark
Component: ca-certificatesAssignee: Bob Relyea <rrelyea>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.7CC: pasik, rbeyel, thomas.oulevey
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-15 22:28:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wclark 2019-03-21 14:58:13 UTC 
This issue arose out of a support case

============================================================================
What problem/issue/behavior are you having trouble with?  What do you expect to see?

We need to update our CA root trusts to include Sectigo.  Comodo is included in the ca-certificates RPM on our servers, and upon investigation, this RPM has not changed in our synced repo in about a year:

$ yum info ca-certificates
Loaded plugins: product-id, search-disabled-repos
Installed Packages
Name        : ca-certificates
Arch        : noarch
Version     : 2018.2.22
Release     : 70.0.el7_5
Size        : 951 k
Repo        : installed
From repo   : rhel-7-base-rpms-paychex-versioned-201806
Summary     : The Mozilla CA root certificate bundle
URL         : http://www.mozilla.org/
License     : Public Domain
Description : This package contains the set of CA certificates chosen by the
            : Mozilla Foundation for use with the Internet PKI.

Mozilla does include the Sectigo root trusts in their store: https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport

Are we not syncing the right thing to get package updated, or when will the Sectigo root trust be added to this package?
============================================================================



We can see on the package browser that this is indeed the most recent version of the package for RHEL 7, although there is a version in the RHEL 8 beta RPMs.

Could we have the latest ca-certificates from Mozilla shipped with RHEL 7 as well?
Comment 3 wclark 2019-03-26 00:55:22 UTC 
I have also opened the corresponding BZ https://bugzilla.redhat.com/show_bug.cgi?id=1692589 to have the ca-certificates RPM on RHEL 6 updated with the latest CA root certificate bundle from Mozilla
Comment 6 Bob Relyea 2019-07-15 22:28:28 UTC 
Closing as a dup of the annual ca-certificate update bug.

*** This bug has been marked as a duplicate of bug 1722991 ***