Bug 1163498 – Renewing the CA signing certificate does not extend its validity period end

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1163498 - Renewing the CA signing certificate does not extend its validity period end

Summary:	Renewing the CA signing certificate does not extend its validity period end

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	urgent Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:	TestBlocker

Depends On:	1150031 1165155
Blocks:	886645 1153289
	Show dependency tree / graph

Reported:	2014-11-12 15:46 EST by Scott Poore
Modified:	2015-03-05 05:14 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	ipa-4.1.0-7.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:	1150031
Environment:
Last Closed:	2015-03-05 05:14:37 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 09:50:39 EST

Groups: None (edit)

Comment 1 Scott Poore 2014-11-12 15:52:07 EST

Cloned the original bug here and adding the notes/output from what I saw for the same thing:

[root@rhel71-1 ~]# date
Thu Nov  2 00:50:50 CDT 2034

[root@rhel71-1 ~]# ipa-certupdate
trying https://rhel71-1.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://rhel71-1.example.com/ipa/json'
Systemwide CA database updated.
Added the CA to the systemwide CA trust database.
The ipa-certupdate command was successful

Checking that all certs are good:

[root@rhel71-1 ~]# getcert list | egrep "status|expires"
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC
        status: MONITORING
        expires: 2034-11-05 20:44:23 UTC

Looking for the CA:

[root@rhel71-1 ~]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.COM IPA CA" | \
>     egrep "Serial Number: |Not After Subject:"
        Serial Number: 115 (0x73)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Serial Number: 1 (0x1)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"

[root@rhel71-1 ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 \
>     -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=com | \
>     egrep "ipaCertIssuerSerialipaCertSubject^cn^dn:"
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
cn: certificates
dn: cn=EXAMPLE.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM IPA CA
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.COM;1
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.COM;115
ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.COM

Comment 3 Jan Cholasta 2014-11-13 03:24:03 EST

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4717

Comment 4 Scott Poore 2014-11-14 10:50:23 EST

FYI, the above results were from IPA's automatic renewal but, I see the same results with manual renewal:

[root@rhel71-1 ~]# ipa-cacert-manage renew -p Secret123
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

[root@rhel71-1 ~]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.COM IPA CA" | \
>     egrep "Serial Number: |Not After :|Subject:"
        Serial Number: 115 (0x73)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Serial Number: 1 (0x1)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"

[root@rhel71-1 ~]# ipa-certupdate 
trying https://rhel71-1.example.com/ipa/session/json
Forwarding 'ca_is_enabled' to json server 'https://rhel71-1.example.com/ipa/session/json'
Systemwide CA database updated.
Added the CA to the systemwide CA trust database.
The ipa-certupdate command was successful

[root@rhel71-1 ~]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.COM IPA CA" | \
>     egrep "Serial Number: |Not After :|Subject:"
        Serial Number: 124 (0x7c)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Serial Number: 115 (0x73)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Serial Number: 1 (0x1)
            Not After : Sun Nov 05 20:44:23 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"

So it seems like the cert from IPA's manual renewal with ipa-cacert-manage also has the same issue with the date.

Comment 6 Scott Poore 2014-11-18 11:07:26 EST

FYI, just a little more info and another test trying to manually renew with ipa-cacert-manage:

########## checking date and expirations:

[root@rhel7-3 ~]# date
Thu Jun  8 20:58:07 CDT 2034

[root@rhel7-3 ~]# getcert list | egrep "status|expires|Request|subject"
Request ID '20141118134354':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134355':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134356':
	status: MONITORING
	subject: CN=CA Subsystem,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134357':
	status: MONITORING
	subject: CN=Certificate Authority,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134358':
	status: MONITORING
	subject: CN=IPA RA,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134359':
	status: MONITORING
	subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134400':
	status: MONITORING
	subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134440':
	status: MONITORING
	subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC

[root@rhel7-3 ~]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.COM IPA CA" | \
>     egrep "Serial Number: |Not After :|Subject:"
        Serial Number: 1 (0x1)
            Not After : Sat Nov 18 13:43:15 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"

[root@rhel7-3 ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 \
>     -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=com | \
>     egrep "ipaCertIssuerSerial:|ipaCertSubject:|^cn:|^dn:"
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
cn: certificates
dn: cn=EXAMPLE.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM IPA CA
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.COM;1
ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.COM


########### Now renew:


[root@rhel7-3 ~]# ipa-cacert-manage renew -p Secret123
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

############ update client side:

[root@rhel7-3 ~]# ipa-certupdate 
trying https://rhel7-3.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://rhel7-3.example.com/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

############ Checking expirations:

[root@rhel7-3 ~]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.COM IPA CA" | \
>     egrep "Serial Number: |Not After :|Subject:"
        Serial Number: 91 (0x5b)
            Not After : Sat Nov 18 13:43:15 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Serial Number: 1 (0x1)
            Not After : Sat Nov 18 13:43:15 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"

[root@rhel7-3 ~]# getcert list | egrep "status|expires|Request|subject"
Request ID '20141118134354':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134355':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134356':
	status: MONITORING
	subject: CN=CA Subsystem,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134357':
	status: MONITORING
	subject: CN=Certificate Authority,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134358':
	status: MONITORING
	subject: CN=IPA RA,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134359':
	status: MONITORING
	subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134400':
	status: MONITORING
	subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC
Request ID '20141118134440':
	status: MONITORING
	subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
	expires: 2034-11-18 13:43:15 UTC

So, it doesn't appear to extend the expiration past original even on fresh install and ipa manual renew.

Comment 8 Jan Cholasta 2014-11-19 09:27:14 EST

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/52b141ca6a257b8f12d9ad2ade812ec1bfebf0d7
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7aa855a37b1996588d7d2084176e38145b1587be

Comment 10 Scott Poore 2014-11-21 13:14:31 EST

Verified.

Version ::

ipa-server-4.1.0-7.el7.x86_64
certmonger-0.75.14-2.el7.x86_64

Results ::

I walked the time forward to 2034 expiration time within 5 days of expiration.

[root@vm3 log]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful


[root@vm3 log]# getcert list | egrep "status|expires|Request|subject"
Request ID '20141121160316':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC
Request ID '20141121160317':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC
Request ID '20141121160318':
	status: MONITORING
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC
Request ID '20141121160319':
	status: MONITORING
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2054-11-16 22:26:24 UTC
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Request ID '20141121160320':
	status: MONITORING
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC
Request ID '20141121160321':
	status: MONITORING
	subject: CN=vm3.example.test,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC
Request ID '20141121160322':
	status: MONITORING
	subject: CN=vm3.example.test,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC
Request ID '20141121160347':
	status: MONITORING
	subject: CN=vm3.example.test,O=EXAMPLE.TEST
	expires: 2034-11-21 16:02:41 UTC

See 20141121160319 above. Date has been extended beyond the 2034 expiration it originally had.  

[root@vm3 log]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 \
>     -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=test | \
>     egrep "ipaCertIssuerSerial:|ipaCertSubject:|^cn:|^dn:"
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=test
cn: certificates
dn: cn=EXAMPLE.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=test
cn: EXAMPLE.TEST IPA CA
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.TEST;1
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.TEST;100
ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.TEST

[root@vm3 log]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.TEST IPA CA" | \
>     egrep "Serial Number: |Not After :|Subject:"
        Serial Number: 1 (0x1)
            Not After : Tue Nov 21 16:02:41 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.TEST"

[root@vm3 log]# ipa-certupdate 
trying https://vm3.example.test/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://vm3.example.test/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

[root@vm3 log]# certutil -d /etc/ipa/nssdb -L -n "EXAMPLE.TEST IPA CA" | \
>     egrep "Serial Number: |Not After :|Subject:"
        Serial Number: 100 (0x64)
            Not After : Mon Nov 16 22:26:24 2054
        Subject: "CN=Certificate Authority,O=EXAMPLE.TEST"
        Serial Number: 1 (0x1)
            Not After : Tue Nov 21 16:02:41 2034
        Subject: "CN=Certificate Authority,O=EXAMPLE.TEST"


Now I can see the date pushed out to 2054 as expected.

Comment 12 errata-xmlrpc 2015-03-05 05:14:37 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.