Bug 856637
Summary: | nss-db-gen, change default validity from 12 months to 48 months | ||
---|---|---|---|
Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | wes hayutin <whayutin> |
Component: | RHUA | Assignee: | James Slagle <jslagle> |
Status: | CLOSED ERRATA | QA Contact: | mkovacik |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 2.1 | CC: | jslagle, juwu, tsanders, vkuznets, whayutin |
Target Milestone: | --- | ||
Target Release: | 2.1.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
The nss-db-gen script generated certificates that are valid for only 12 months. This bug fix updates the script and changes the default validity from 12 months to 48 months.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-27 16:59:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
wes hayutin
2012-09-12 13:46:23 UTC
Set the VALID option to 45, since 3 months are added by default, we will get valid certs for 48 months. AIUI, the -w option is not needed. commit 34813d3f0a1ba2c5c490888a19b11a76e3f4c649 QA: Verify the certificates for qpid generated by nss-db-gen are good for 48 months by running the following after installing the rh-rhua-config generated rpm: certutil -L -d /etc/pki/rhua/qpid-nss/ -n ca certutil -L -d /etc/pki/rhua/qpid-nss/ -n broker The displayed certificates should be valid for 48 months. [root@rhua ~]# rpm -q rh-rhui-tools rh-rhui-tools-2.1.15-1.el6_3.noarch [root@rhua ~]# certutil -L -d /etc/pki/rhua/qpid-nss/ -n ca | grep "Not " Not Before: Mon Feb 04 09:11:50 2013 Not After : Fri Nov 04 09:11:50 2016 [root@rhua ~]# certutil -L -d /etc/pki/rhua/qpid-nss/ -n broker | grep "Not " Not Before: Mon Feb 04 09:11:50 2013 Not After : Fri Nov 04 09:11:50 2016 Certificates are not getting updated with rhui update, they're still valid for 12 month only. [root@rhua ~]# certutil -L -d /etc/pki/rhua/qpid-nss/ -n ca | grep "Not " Not Before: Mon Feb 18 13:43:45 2013 Not After : Tue Feb 18 13:43:45 2014 [root@rhua ~]# certutil -L -d /etc/pki/rhua/qpid-nss/ -n broker | grep "Not " Not Before: Mon Feb 18 13:43:45 2013 Not After : Tue Feb 18 13:43:45 2014 I think it was supposed to be this way and we won't go with regenerating them during upgrade. Putting needinfo to be 100% sure. that's correct, they won't get updated automatically on a rhui update. It's a separate manual process. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0571.html |