Bug 1925311

Summary: [RFE] Add a Boolean to Not Allow a CA Certificate Issued Past Issuing CA's Validity
Product: Red Hat Enterprise Linux 8 Reporter: Chris Zinda <czinda>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: aakkiang, afarley, cfu, dpunia, edewata, mharmsen, rhcs-maint, skhandel
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8050020210604044720.01d2cef5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:39:04 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1963851    
Bug Blocks: 1953739    

Description Chris Zinda 2021-02-04 20:27:14 UTC 
Description of problem:
Customer is looking for a way to toggle to stop allowing CA's to be issued past the issuing CA's validity period.  This is a concern that they are seeking to address as they are concerned it goes against their policies.

Version-Release number of selected component (if applicable):
pki-ca*

How reproducible:
Very

Steps to Reproduce:
1. Issue a CA certificate with the date going beyond the issuing CA's validity period


Actual results:
Cert g ets issued with no problems.  All other certs will reset to the notAfter of the issuing CA.

Expected results:
Same as every other cert issued.

Additional info:
This is what occurs for a regular Server cert.  It identifies that the notAfter is past the CA's own and resets it.
[25/Jan/2021:14:46:35][http-bio-8443-exec-5]: CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime != true...resetting

This is what appears for a CA cert.  It just alerts you of the issue.
[25/Jan/2021:14:48:51][http-bio-8443-exec-5]: CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER.


And in looking at the code, this was intended.

base/ca/src/com/netscape/ca/CAService.java
            if (end.after(caNotAfter)) {
                if (!is_ca) {
                    if (!engine.getEnablePastCATime()) {
                        end = caNotAfter;
                        certi.set(CertificateValidity.NAME,
                                new CertificateValidity(begin, caNotAfter));
                        logger.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime != true...resetting");
                    } else {
                        logger.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime = true...not resetting");
                    }
                } else {
                    logger.debug("CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER.");
                } //!is_ca

                logger.info(CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER"));
            }
Comment 27 errata-xmlrpc 2021-11-09 18:39:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:4239