Bug 1940261
| Summary: | [RFE] Include certificate NotBefore date in output of the 'getcert list' command | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Marco Rhodes <mrhodes> | |
| Component: | certmonger | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.3 | CC: | frenaud, ksiddiqu, msauton, myusuf, pcech, rcritten, ssidhaye, sumenon, vvanhaft, wrydberg | |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | certmonger-0.79.13-4.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1978383 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 13:38:10 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1978383 | |||
to set the system clock back to when the certificates were valid, 1 day before expiration
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"; do
certdate=$(date -d "`certutil -L -d /etc/pki/pki-tomcat/alias -n "${nickname}" | grep -i after | cut -d: -f2-`" +%s )
echo "$nickname - $certdate"
[[ ${newdate:-99999999999} -gt "${certdate}" ]] && newdate=$certdate
done
date --set="`date --date=@$[newdate - 86400]`"
Test automation in ipa master: https://pagure.io/freeipa/c/3272780439a579f5bfa6a609aa3c5094764c4109 Test automation in ipa ipa-4-9: https://pagure.io/freeipa/c/826b5825bd644fc69a9bee17626d71fe03cc0190 Kaleem, how do we want to coordinate the automated test changes that will be in ipa? Do we need a separate BZ for those? (In reply to Rob Crittenden from comment #9) > Kaleem, how do we want to coordinate the automated test changes that will be > in ipa? Do we need a separate BZ for those? automated test will come as part of rebase in 8.6, so we do not need a separate bz for that. version: certmonger-0.79.13-5.el8.x86_64 [root@master ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20211125062519': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=IPA RA,O=TESTRELM.TEST issued: 2021-11-25 01:25:19 EST expires: 2023-11-15 01:25:19 EST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20211125062524': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=CA Audit,O=TESTRELM.TEST issued: 2021-11-25 01:24:04 EST expires: 2023-11-15 01:24:04 EST key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20211125062526': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=OCSP Subsystem,O=TESTRELM.TEST issued: 2021-11-25 01:24:01 EST expires: 2023-11-15 01:24:01 EST eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20211125062527': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=CA Subsystem,O=TESTRELM.TEST issued: 2021-11-25 01:24:03 EST expires: 2023-11-15 01:24:03 EST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20211125062528': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=Certificate Authority,O=TESTRELM.TEST issued: 2021-11-25 01:23:58 EST expires: 2041-11-25 01:23:58 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20211125062529': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST issued: 2021-11-25 01:24:01 EST expires: 2023-11-15 01:24:01 EST dns: master.testrelm.test key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20211125062533': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST issued: 2021-11-25 01:25:42 EST <<<<<<<<<<<<<<<< expires: 2023-11-26 01:25:42 EST dns: master.testrelm.test principal name: ldap/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST track: yes auto-renew: yes Request ID '20211125062616': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.testrelm.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST issued: 2021-11-25 01:26:16 EST <<<<<<<<<<<<<<<< expires: 2023-11-26 01:26:16 EST dns: master.testrelm.test,ipa-ca.testrelm.test principal name: HTTP/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20211125062623': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST issued: 2021-11-25 01:26:23 EST <<<<<<<<<<<<<<<< expires: 2023-11-26 01:26:23 EST dns: master.testrelm.test principal name: krbtgt/TESTRELM.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes As we can see, issued is mentioned in getccert list output. Hence marking the bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (certmonger bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1789 |
Description of problem: The 'getcert list' command displays the 'NotAfter' date of tracked certificates, but omits the 'NotBefore' date that indicates when the certificates became valid for use. Including the NotBefore date in the command output will be beneficial for administrative and troubleshooting purposes. How reproducible: Always Steps to Reproduce: 1. Root user runs the 'getcert list' command. Actual results (example): Request ID '20200930052944': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.CORP.EXAMPLE.COM subject: CN=OCSP Subsystem,O=IPA.CORP.EXAMPLE.COM expires: 2021-11-23 18:19:33 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Proposed output (example): Request ID '20200930052944': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.CORP.EXAMPLE.COM subject: CN=OCSP Subsystem,O=IPA.CORP.EXAMPLE.COM valid from: 2019-11-21 18:19:33 UTC expires: 2021-11-23 18:19:33 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Additional info: