1305992 – Database upgrade script to add issuerName attribute to all cert entries

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1305992 - Database upgrade script to add issuerName attribute to all cert entries

Summary: Database upgrade script to add issuerName attribute to all cert entries

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.3
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-09 18:29 UTC by Matthew Harmsen
Modified:	2020-10-04 21:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pki-core-10.3.2-3.el7
Doc Type:	Enhancement
Doc Text:	New "pki-server" subcommand to add the issuer DN to a certificate An enhancement in the Certificate Server now stores the issuer DN in new certificate records and the REST API certificate search enables support for filtering certificates by the issuer DN. To add the issuer DN to existing certificate records, run: # pki-server db-upgrade
Clone Of:
Environment:
Last Closed:	2016-11-04 05:23:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2226	0	None	None	None	2020-10-04 21:01:11 UTC
Red Hat Product Errata	RHBA-2016:2396	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-02-09 18:29:30 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/1667

Commit 465fa069ba67d655be28e1a3b9417dff19148e9f causes the
issuerName attribute to be included in certificate entries,
but a script is still needed to add this attribute to existing
certificate entries (so that they can be searched by issuer
alongside new certs).

Comment 1 Matthew Harmsen 2016-06-10 16:05:15 UTC

edewata fixed this:

Fixed in master:

    f306058c4fb2f1e80e753b744a4d26eaa53a293f
    8d239f0b5c01ec94075a52eec8d8f5485b172ffd

Comment 3 Roshni 2016-09-07 15:49:44 UTC

Endi,

Could you provide with steps to verify this bug?

Comment 4 Endi Sukma Dewata 2016-09-07 16:38:32 UTC

Fraser probably knows better, but I think basically it can be verified with these steps:

1. Create a CA with PKI 10.2.x packages.
2. Check the certificate records under ou=certificateRepository, ou=ca, SUFFIX in the DS. There should be entries without an issuerName attribute.
3. Upgrade the PKI packages to 10.3.x.
4. Run pki-server db-upgrade.
5. Check the certificate records in #2 again. They all should have an issuerName attribute now.

See also:
http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.2.x#Adding_issuerName_attribute

Comment 5 Geetika Kapoor 2016-09-14 06:42:25 UTC

Test Cases & Setup:
==================

Before Db upgrade:
---------------------


[root@cspki-vm1 yum.repos.d]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA" 
# extended LDIF
#
# LDAPv3
# base <ou=certificateRepository,ou=ca,o=pki-test-CA> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# certificateRepository, ca, pki-test-CA
dn: ou=certificateRepository,ou=ca,o=pki-test-CA
serialno: 011
ou: certificateRepository
objectClass: top
objectClass: repository
nextRange: 10000001

# 1, certificateRepository, ca, pki-test-CA
dn: cn=1,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 011
metaInfo: profileId:caCACert
metaInfo: requestId:1
notBefore: 20160918211906Z
notAfter: 20360918211906Z
duration: 12631152000000
subjectName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqT9wbTZlKhprpa2lm8
 R3b/IRCaywSrPAMdswwwhdzcwQ5id0lAUwbSE7VhDZYriyZOfZdO0DinMzAXzk9vFdyBgnh48rk4N
 SPSgMdWFQ3RR6V6cEjw4kdd0/bT9LmJqD6hOqOMsnXl86YLHg11YwnA/eSapYOYHo1Fvksga0ChVs
 qY8qe4lwmSAhAg7n3yYSGk83J9cVPLj/7LxDN+u1UvQSnaF6dewCpR6kS1IgSq8Km2ByVqCOgdTIH
 oM8NbHRXbprrCjjW41CLVmGsjX14uOwHhQ57mvkJXxAEs92m5bkUy7OCGTKlK9KJ+npLHErvVFie0
 SrQ9/JNq2bDYUM8wIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.14
extension: 2.5.29.35
extension: 2.5.29.15
extension: 2.5.29.19;isCA=true,pathLen=-1
userCertificate;binary:: MIID0zCCArugAwIBAgIBATANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwNloXDTM2MDkxODE1NDkwNlowUTEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
 bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk/cG02ZSoaa
 6WtpZvEd2/yEQmssEqzwDHbMMMIXc3MEOYndJQFMG0hO1YQ2WK4smTn2XTtA4pzMwF85PbxXcgYJ4
 ePK5ODUj0oDHVhUN0UelenBI8OJHXdP20/S5iag+oTqjjLJ15fOmCx4NdWMJwP3kmqWDmB6NRb5LI
 GtAoVbKmPKnuJcJkgIQIO598mEhpPNyfXFTy4/+y8QzfrtVL0Ep2henXsAqUepEtSIEqvCptgclag
 joHUyB6DPDWx0V26a6wo41uNQi1ZhrI19eLjsB4UOe5r5CV8QBLPdpuW5FMuzghkypSvSifp6SxxK
 71RYntEq0PfyTatmw2FDPMCAwEAAaOBtTCBsjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9Rkgdo72aw
 IcGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUleg+muZsU5g2w/U
 ZIHaO9msCHBgwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHRwOi8vY3Nwa2ktdm0xLmVu
 Z2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAJkjgpclF
 thPdkNAYRbJ2/uDcQtlS80d4HFdmTl0pawBeVGGtvUQVpAI4lS45pRji3Lj+1NFx4dYYKLJ3mBmD+
 RyJnpnkvfAXpUT1tjRkVpt0BCopDcKw7anHFjgloaGnQ9YFwyQObucYXpPpH/KeTnaLIY91DR1e+t
 Q/ULy1CTaAi/G+EsNprIwDhU+dUahCngU5uf24i0veVD6QuZzeWzxHOcG7H23E7m+5LTk0ALrVNAB
 0sz9x9h6XHYteXM6an8iWWJ+rqff3G+i3DrdOg5WOpYR1xzbvc6nq8Vr9K5Al97MdKi8xYE3dLgNr
 jukv+MaAswmPKVqc3Hi7Utwk8U=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211906Z
dateOfModify: 20160918211906Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 1

# 2, certificateRepository, ca, pki-test-CA
dn: cn=2,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 012
metaInfo: profileId:caOCSPCert
metaInfo: requestId:2
notBefore: 20160918211909Z
notAfter: 20180908211909Z
duration: 1162208000000
subjectName: CN=CA OCSP Signing Certificate,O=englab.pnq.redhat.com Security D
 omain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftDYW01XV4HrUzMq
 7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bnhZQ1ifAlE+jnm
 G6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCEi1snYPtW6yncz
 XeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0nEIrz/JTvRIh2J
 oimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+01B8bagkQVNndY
 S/7vlzhjwsaylMOQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowVjEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEkMCIGA1UEAwwbQ0EgT0NT
 UCBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftD
 YW01XV4HrUzMq7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bn
 hZQ1ifAlE+jnmG6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCE
 i1snYPtW6ynczXeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0n
 EIrz/JTvRIh2JoimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+0
 1B8bagkQVNndYS/7vlzhjwsaylMOQIDAQABo4GaMIGXMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GS
 B2jvZrAhwYMA4GA1UdDwEB/wQEAwIBxjBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA
 6Ly9jc3BraS12bTEuZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDATBgNVHSUEDDAK
 BggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAIZ5pKVEddQWSHME3wD+YqpgjCdB7Iv+7yHiVa
 gIVnfXJEml5QZutaWSOAtG0wYRrRz0lIDD76KVgrzdmHLT2iYn3dpyQIYbqC20l0xcCa3fHyTVRDj
 owQnCMUMEefOkP/UkL8EOm36ZOhhbV9Ycr1D/8I6tS7H66DIvs6GVi8xBaKfQmrARvs+tp6YEosqv
 CF0q3C6zqatL0Pl3KaiIcMJGCA5WqHgKZLR4fHhnm9QmoBmeYmWC0gLFKPCLRVrpmh/Zgq82Xt2wD
 Bl9cZ/hyaorMjZmRojzXAu+Ca1GoZOLrWo8hmKwjXm1tnycUoimhdX7s3/dBlSCptZDjKhyG6w==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211909Z
dateOfModify: 20160918211909Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 2

# 3, certificateRepository, ca, pki-test-CA
dn: cn=3,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 013
metaInfo: profileId:caServerCert
metaInfo: requestId:3
notBefore: 20160918211909Z
notAfter: 20180908211909Z
duration: 1162208000000
subjectName: CN=cspki-vm1.englab.pnq.redhat.com,O=englab.pnq.redhat.com Securi
 ty Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvywv3agfZCytf+XclW
 yyMkprYz1tYJ8P6FfOrHeeGw3THG9dugRLXgTac58XqVDNCGHYmf1vyhuQR3+Krukem3Smd0ed6aI
 GmkDtEnYZHFVVtuC9uPKDf8E7ktxZFLojv968PiuzQHhrYGZj83bB0YYNuqxdJjsiAVTlMug45r2U
 pRGcd7A8SOdTO7z7KFBWvsKzQRDlpKw/Oy+JwEKZ1ljTjkVAZwX+guXNKzycZcp0VLi5Bxfr+5ZFq
 rdCYemJzLN03Dt/IbajSwXFQNlvt/mvvlxEWCzm7fVV3gV7Am88dmdXPv/Ca90POTYMXiH+fCZPfQ
 yFR/nKEUwcxLXAUwIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowWjEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEoMCYGA1UEAwwfY3Nwa2kt
 dm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBA
 L8sL92oH2QsrX/l3JVssjJKa2M9bWCfD+hXzqx3nhsN0xxvXboES14E2nOfF6lQzQhh2Jn9b8obkE
 d/iq7pHpt0pndHnemiBppA7RJ2GRxVVbbgvbjyg3/BO5LcWRS6I7/evD4rs0B4a2BmY/N2wdGGDbq
 sXSY7IgFU5TLoOOa9lKURnHewPEjnUzu8+yhQVr7Cs0EQ5aSsPzsvicBCmdZY045FQGcF/oLlzSs8
 nGXKdFS4uQcX6/uWRaq3QmHpicyzdNw7fyG2o0sFxUDZb7f5r75cRFgs5u31Vd4FewJvPHZnVz7/w
 mvdDzk2DF4h/nwmT30MhUf5yhFMHMS1wFMCAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBSV6D6a5mxTmD
 bD9Rkgdo72awIcGDBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly9jc3BraS12bTE
 uZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l
 BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHe1Ih8zh0ntbbxTR9AzugAeTHgtcU3i4
 EwBcQ0caMMylgQBQsPoXRmNUOyq6QPjyJMe4ulytjlhD7Rjy0yPGCvgkjhTPs7OV44xPOQwWqGWkz
 GZPIbpHy5NYpvCMw9rAuKoTZV59qSEfvgBN9io6GS2lVLGNvOZ4mI7PRsj2tq7jf0QcxJr8g2ukWl
 N3Em7fu9Ohr6IRcZTL3N7XRLRaiQy686w8cQgCiQKgILrzOmVdeNFcwc3201h8x5vKkQQbZjkGIJx
 Ym2jQ+QbmnNGSXhId9IjQfn8ZvPqDXdNShMcDWFNp6LRVG/75sjDBjQjq1O3tIsnIB/BrIOXaAmyG
 mU=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211909Z
dateOfModify: 20160918211909Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 3

# 4, certificateRepository, ca, pki-test-CA
dn: cn=4,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 014
metaInfo: profileId:caServerCert
metaInfo: requestId:4
notBefore: 20160918211910Z
notAfter: 20180908211910Z
duration: 1162208000000
subjectName: CN=Subsystem Certificate,O=englab.pnq.redhat.com Security Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb3cqu4
 2WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3qovY/
 jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQiFT3ZC
 XzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou5BjTu
 5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+O0j8m
 5wjutkY/Rr1Mvq1QIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMFoXDTE4MDkwODE1NDkxMFowUDEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEeMBwGA1UEAwwVU3Vic3lz
 dGVtIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb
 3cqu42WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3
 qovY/jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQi
 FT3ZCXzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou
 5BjTu5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+
 O0j8m5wjutkY/Rr1Mvq1QIDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAh
 wYME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5
 xLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
 BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKiKUuXKM44jOgVG3bwYGfCxDjPRsgKBd
 xTcnKOca1RFFv3qo3TrMIT/r64FuwIcpWngZgDcTXgLJaqg/7IvwKK3SxpeFuVWHF+6jCPOby4L/j
 sQ9qhgEcsKmYv2rdZTN0Lu+1qYLlClAJZkeFCWgGsMPzlzmqr9+jckmIPiPhrDf1lJtauRDIhRvPq
 iuvkxVAGgY3uguEOWCAq9KRhegP+YIBugf7JpPIjiOoubrBbLtYn9kWUnLw1whNNkp0hfOtRM8icy
 gIL48IKoGennZw3DTMau78V1LpODkTzQeAeBeBwsyV0lhFYyEkNQ8ZOdfKWY9bUFFbcYNFI/LmpI2
 lI=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211910Z
dateOfModify: 20160918211910Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 4

# 5, certificateRepository, ca, pki-test-CA
dn: cn=5,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 015
metaInfo: profileId:caSignedLogCert
metaInfo: requestId:5
notBefore: 20160918211912Z
notAfter: 20180908211912Z
duration: 1162208000000
subjectName: CN=CA Audit Signing Certificate,O=englab.pnq.redhat.com Security 
 Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEd7vQHQZJnxDyF4cR
 IbkLQaX5xJmMb0oXxzEMq69UKN6ZOKkUA2JKjykDIP+as0XoOCpfkfUoZPOMQ5hbTJ7lCVgTfD29K
 lWfWTzzlPmRVePMmGSjAae0APxyhzkvpixtscZb069/XNTimwy13Gi+Og92PCpYAB/olcWOoRg4ja
 epZSq96bIvcs4qCAMAfMToznCl39WdBUCahUs37U1+68wIIRRIiqRSAnlBPneqYP9k9OcX69zXWrr
 tVfw8H5WT1fM39pos927w7Feg1jLKy0dbI7lHPKFiHXrS8Ws0Tqa6IEwsiK3TpnQsz9anAINtgN4q
 smzrmF8ACns2paoQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMloXDTE4MDkwODE1NDkxMlowVzEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjElMCMGA1UEAwwcQ0EgQXVk
 aXQgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRHe
 70B0GSZ8Q8heHESG5C0Gl+cSZjG9KF8cxDKuvVCjemTipFANiSo8pAyD/mrNF6DgqX5H1KGTzjEOY
 W0ye5QlYE3w9vSpVn1k885T5kVXjzJhkowGntAD8coc5L6YsbbHGW9Ovf1zU4psMtdxovjoPdjwqW
 AAf6JXFjqEYOI2nqWUqvemyL3LOKggDAHzE6M5wpd/VnQVAmoVLN+1NfuvMCCEUSIqkUgJ5QT53qm
 D/ZPTnF+vc11q67VX8PB+Vk9XzN/aaLPdu8OxXoNYyystHWyO5RzyhYh160vFrNE6muiBMLIit06Z
 0LM/WpwCDbYDeKrJs65hfAAp7NqWqECAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9R
 kgdo72awIcGDAOBgNVHQ8BAf8EBAMCBsAwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHR
 wOi8vY3Nwa2ktdm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN
 AQELBQADggEBAHt0LIJlX5z+V+jPjN8xi2dLmsBFsGm2uLptiRShh4gBqwH5iXiwDVN36NHv3k1Nh
 VZoqGGqNGoBttuNotptAd1lpIzgck4/O2mL5vYaaaSDghLr4iq0Y3IJamB4C+b/FIuLrg50t1RLa7
 xd4soN/Zp7iD6pXviuubRXZtrK9GZZV449PaIrzczyvptDIQd0yzj7pJF0J02Lkz3dI1HrONoFOHf
 2fb3vYNU9aLY3QBRg8lFO8UD+p1OQb+WzkuhPmaoFMvlV2tyxnWnXBWIO4SZStwtsgSiESENbk+fT
 LHr7vQMeMdo3MMyBkdv3pWqELKOnnmf6LuLUqxwkQ3W+sPE=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211912Z
dateOfModify: 20160918211912Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 5

# 6, certificateRepository, ca, pki-test-CA
dn: cn=6,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 016
metaInfo: profileId:caAdminCert
metaInfo: requestId:6
notBefore: 20160918211914Z
notAfter: 20180908211914Z
duration: 1162208000000
subjectName: CN=PKI Administrator,E=caadmin.redhat.com,O=englab.pnq
 .redhat.com Security Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2Kuh
 AeWOQFCARuLAFpSHNubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoU
 GbJW4tknsKnXF3kemSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCF
 U5kZvSY7wTotuOk59PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bn
 DFn5tHzG++A9gNPa52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9H
 YUP1d0I/+Jc17SaQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIID6zCCAtOgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxNFoXDTE4MDkwODE1NDkxNFowejEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEsMCoGCSqGSIb3DQEJARYd
 Y2FhZG1pbkBlbmdsYWIucG5xLnJlZGhhdC5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yM
 IIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2KuhAeWOQFCARuLAFpSH
 NubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoUGbJW4tknsKnXF3ke
 mSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCFU5kZvSY7wTotuOk5
 9PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bnDFn5tHzG++A9gNPa
 52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9HYUP1d0I/+Jc17SaQ
 IDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAhwYME8GCCsGAQUFBwEBBEM
 wQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5xLnJlZGhhdC5jb206ODA4
 MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwD
 QYJKoZIhvcNAQELBQADggEBAAiST8ttMd9hokgOBgpFqTXP7TrboM9W54ZgE7BuSWo+dO1Rb4534Y
 5G9XX6ZIli5BK3SZLyNBNor4wGSH5qxHwMpay0lC0i2SaDXMPEG0u2VBmY8MWrDman/b2H5Tz4oz4
 N23TGirCKXxPL2p2i9zzQ3Sx3Um5kBBCiEgiF5zX91IFeutveWaqQfRyL/I3UvBXuL828tXpRG4IB
 8D6bdbc+SnSVibb82IkwFoMBfY+egTMZSAL8p7yNJdFYq1BFnXwDoTsYQrL4PciYdUPEzMmbeNtUT
 rYTk4kVsPUFpJFbdDfT4JIBIafZfDM0BpvJOVlLoQRIbHQr3+c4eSuP7fI=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211914Z
dateOfModify: 20160918211914Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 6

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7


2. Stop CA instance and try to migrate from pki-ca 10.2.x to pki-ca 10.3.x.

Installed Packages
pki-ca.noarch                                                        10.2.5-6.el7                                                         @rhel72 
Available Packages
pki-ca.noarch                                                        10.3.3-9.el7                                                         RHEL_7.3

3. Check ca debug logs to make sure it started.
4. Chcek all connectivity is up with db.
5. run pki-server db-upgrade

[root@cspki-vm1 ca]# pki-server -v db-upgrade -i pki-test
Command: db-upgrade -i pki-test
----------------
Upgrade complete
----------------

6. Check in ldap if a new entry exist for issuerName.

[root@cspki-vm1 ca]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA" 
# extended LDIF
#
# LDAPv3
# base <ou=certificateRepository,ou=ca,o=pki-test-CA> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# certificateRepository, ca, pki-test-CA
dn: ou=certificateRepository,ou=ca,o=pki-test-CA
serialno: 011
ou: certificateRepository
objectClass: top
objectClass: repository
nextRange: 10000001

# 1, certificateRepository, ca, pki-test-CA
dn: cn=1,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 011
metaInfo: profileId:caCACert
metaInfo: requestId:1
notBefore: 20160918211906Z
notAfter: 20360918211906Z
duration: 12631152000000
subjectName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqT9wbTZlKhprpa2lm8
 R3b/IRCaywSrPAMdswwwhdzcwQ5id0lAUwbSE7VhDZYriyZOfZdO0DinMzAXzk9vFdyBgnh48rk4N
 SPSgMdWFQ3RR6V6cEjw4kdd0/bT9LmJqD6hOqOMsnXl86YLHg11YwnA/eSapYOYHo1Fvksga0ChVs
 qY8qe4lwmSAhAg7n3yYSGk83J9cVPLj/7LxDN+u1UvQSnaF6dewCpR6kS1IgSq8Km2ByVqCOgdTIH
 oM8NbHRXbprrCjjW41CLVmGsjX14uOwHhQ57mvkJXxAEs92m5bkUy7OCGTKlK9KJ+npLHErvVFie0
 SrQ9/JNq2bDYUM8wIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.14
extension: 2.5.29.35
extension: 2.5.29.15
extension: 2.5.29.19;isCA=true,pathLen=-1
userCertificate;binary:: MIID0zCCArugAwIBAgIBATANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwNloXDTM2MDkxODE1NDkwNlowUTEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
 bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk/cG02ZSoaa
 6WtpZvEd2/yEQmssEqzwDHbMMMIXc3MEOYndJQFMG0hO1YQ2WK4smTn2XTtA4pzMwF85PbxXcgYJ4
 ePK5ODUj0oDHVhUN0UelenBI8OJHXdP20/S5iag+oTqjjLJ15fOmCx4NdWMJwP3kmqWDmB6NRb5LI
 GtAoVbKmPKnuJcJkgIQIO598mEhpPNyfXFTy4/+y8QzfrtVL0Ep2henXsAqUepEtSIEqvCptgclag
 joHUyB6DPDWx0V26a6wo41uNQi1ZhrI19eLjsB4UOe5r5CV8QBLPdpuW5FMuzghkypSvSifp6SxxK
 71RYntEq0PfyTatmw2FDPMCAwEAAaOBtTCBsjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9Rkgdo72aw
 IcGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUleg+muZsU5g2w/U
 ZIHaO9msCHBgwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHRwOi8vY3Nwa2ktdm0xLmVu
 Z2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAJkjgpclF
 thPdkNAYRbJ2/uDcQtlS80d4HFdmTl0pawBeVGGtvUQVpAI4lS45pRji3Lj+1NFx4dYYKLJ3mBmD+
 RyJnpnkvfAXpUT1tjRkVpt0BCopDcKw7anHFjgloaGnQ9YFwyQObucYXpPpH/KeTnaLIY91DR1e+t
 Q/ULy1CTaAi/G+EsNprIwDhU+dUahCngU5uf24i0veVD6QuZzeWzxHOcG7H23E7m+5LTk0ALrVNAB
 0sz9x9h6XHYteXM6an8iWWJ+rqff3G+i3DrdOg5WOpYR1xzbvc6nq8Vr9K5Al97MdKi8xYE3dLgNr
 jukv+MaAswmPKVqc3Hi7Utwk8U=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211906Z
dateOfModify: 20160918211906Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 1
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

# 2, certificateRepository, ca, pki-test-CA
dn: cn=2,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 012
metaInfo: profileId:caOCSPCert
metaInfo: requestId:2
notBefore: 20160918211909Z
notAfter: 20180908211909Z
duration: 1162208000000
subjectName: CN=CA OCSP Signing Certificate,O=englab.pnq.redhat.com Security D
 omain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftDYW01XV4HrUzMq
 7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bnhZQ1ifAlE+jnm
 G6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCEi1snYPtW6yncz
 XeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0nEIrz/JTvRIh2J
 oimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+01B8bagkQVNndY
 S/7vlzhjwsaylMOQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowVjEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEkMCIGA1UEAwwbQ0EgT0NT
 UCBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqSftD
 YW01XV4HrUzMq7NjGJru3gNDRfQ/J/kaovvErorrZWf/Qh2wIm5IldP4JHE8llXFTF9munUZgo9bn
 hZQ1ifAlE+jnmG6cG4+uFH4Ckv+p9iHfVtBiTDZVgfQ/PjYfZ6t8zLrSfXoCY07u3i9hefxK4UjCE
 i1snYPtW6ynczXeVpQeM/WXGglt+g/UuFYgffDEZ5d0fF4X6YvQhhi1vznMHnGquqYML8xhRYba0n
 EIrz/JTvRIh2JoimSPypZIxGRX26akdA/8cZW8Kn1yN0MqTZhZV0Bv1IP+PHhztFyWlkzx9VojY+0
 1B8bagkQVNndYS/7vlzhjwsaylMOQIDAQABo4GaMIGXMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GS
 B2jvZrAhwYMA4GA1UdDwEB/wQEAwIBxjBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA
 6Ly9jc3BraS12bTEuZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDATBgNVHSUEDDAK
 BggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAIZ5pKVEddQWSHME3wD+YqpgjCdB7Iv+7yHiVa
 gIVnfXJEml5QZutaWSOAtG0wYRrRz0lIDD76KVgrzdmHLT2iYn3dpyQIYbqC20l0xcCa3fHyTVRDj
 owQnCMUMEefOkP/UkL8EOm36ZOhhbV9Ycr1D/8I6tS7H66DIvs6GVi8xBaKfQmrARvs+tp6YEosqv
 CF0q3C6zqatL0Pl3KaiIcMJGCA5WqHgKZLR4fHhnm9QmoBmeYmWC0gLFKPCLRVrpmh/Zgq82Xt2wD
 Bl9cZ/hyaorMjZmRojzXAu+Ca1GoZOLrWo8hmKwjXm1tnycUoimhdX7s3/dBlSCptZDjKhyG6w==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211909Z
dateOfModify: 20160918211909Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 2
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

# 3, certificateRepository, ca, pki-test-CA
dn: cn=3,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 013
metaInfo: profileId:caServerCert
metaInfo: requestId:3
notBefore: 20160918211909Z
notAfter: 20180908211909Z
duration: 1162208000000
subjectName: CN=cspki-vm1.englab.pnq.redhat.com,O=englab.pnq.redhat.com Securi
 ty Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvywv3agfZCytf+XclW
 yyMkprYz1tYJ8P6FfOrHeeGw3THG9dugRLXgTac58XqVDNCGHYmf1vyhuQR3+Krukem3Smd0ed6aI
 GmkDtEnYZHFVVtuC9uPKDf8E7ktxZFLojv968PiuzQHhrYGZj83bB0YYNuqxdJjsiAVTlMug45r2U
 pRGcd7A8SOdTO7z7KFBWvsKzQRDlpKw/Oy+JwEKZ1ljTjkVAZwX+guXNKzycZcp0VLi5Bxfr+5ZFq
 rdCYemJzLN03Dt/IbajSwXFQNlvt/mvvlxEWCzm7fVV3gV7Am88dmdXPv/Ca90POTYMXiH+fCZPfQ
 yFR/nKEUwcxLXAUwIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkwOVoXDTE4MDkwODE1NDkwOVowWjEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEoMCYGA1UEAwwfY3Nwa2kt
 dm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBA
 L8sL92oH2QsrX/l3JVssjJKa2M9bWCfD+hXzqx3nhsN0xxvXboES14E2nOfF6lQzQhh2Jn9b8obkE
 d/iq7pHpt0pndHnemiBppA7RJ2GRxVVbbgvbjyg3/BO5LcWRS6I7/evD4rs0B4a2BmY/N2wdGGDbq
 sXSY7IgFU5TLoOOa9lKURnHewPEjnUzu8+yhQVr7Cs0EQ5aSsPzsvicBCmdZY045FQGcF/oLlzSs8
 nGXKdFS4uQcX6/uWRaq3QmHpicyzdNw7fyG2o0sFxUDZb7f5r75cRFgs5u31Vd4FewJvPHZnVz7/w
 mvdDzk2DF4h/nwmT30MhUf5yhFMHMS1wFMCAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBSV6D6a5mxTmD
 bD9Rkgdo72awIcGDBPBggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly9jc3BraS12bTE
 uZW5nbGFiLnBucS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l
 BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHe1Ih8zh0ntbbxTR9AzugAeTHgtcU3i4
 EwBcQ0caMMylgQBQsPoXRmNUOyq6QPjyJMe4ulytjlhD7Rjy0yPGCvgkjhTPs7OV44xPOQwWqGWkz
 GZPIbpHy5NYpvCMw9rAuKoTZV59qSEfvgBN9io6GS2lVLGNvOZ4mI7PRsj2tq7jf0QcxJr8g2ukWl
 N3Em7fu9Ohr6IRcZTL3N7XRLRaiQy686w8cQgCiQKgILrzOmVdeNFcwc3201h8x5vKkQQbZjkGIJx
 Ym2jQ+QbmnNGSXhId9IjQfn8ZvPqDXdNShMcDWFNp6LRVG/75sjDBjQjq1O3tIsnIB/BrIOXaAmyG
 mU=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211909Z
dateOfModify: 20160918211909Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 3
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

# 4, certificateRepository, ca, pki-test-CA
dn: cn=4,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 014
metaInfo: profileId:caServerCert
metaInfo: requestId:4
notBefore: 20160918211910Z
notAfter: 20180908211910Z
duration: 1162208000000
subjectName: CN=Subsystem Certificate,O=englab.pnq.redhat.com Security Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb3cqu4
 2WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3qovY/
 jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQiFT3ZC
 XzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou5BjTu
 5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+O0j8m
 5wjutkY/Rr1Mvq1QIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDwTCCAqmgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMFoXDTE4MDkwODE1NDkxMFowUDEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEeMBwGA1UEAwwVU3Vic3lz
 dGVtIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEbg72cD92zeb
 3cqu42WOqCYYflJnfnhbAG47h0WdHnbFDyKIuGwuYjQDixCzLNqG3SI2eb7btdhSlJOdyW7KSE0J3
 qovY/jX5xmZE1bO/ysvNMui6qaTJt2tvKGS6kuFC5mqKkxh/j5/e9XvHC4xY4XDW+exYEQyqewzQi
 FT3ZCXzKCXm+7nipcNcQMtDyp4JK8V15xLDuDBQ/le7h+rfjlyL+nKJDmPDR3cuCxWfCrTtSrTkou
 5BjTu5yP+MUxb0ETffoufTb6OQpZwYDY9f9Dz1WZOl8gjTLJfrUn7x6V2XwXNt/wc75WNfWIcboV+
 O0j8m5wjutkY/Rr1Mvq1QIDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAh
 wYME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5
 xLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
 BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKiKUuXKM44jOgVG3bwYGfCxDjPRsgKBd
 xTcnKOca1RFFv3qo3TrMIT/r64FuwIcpWngZgDcTXgLJaqg/7IvwKK3SxpeFuVWHF+6jCPOby4L/j
 sQ9qhgEcsKmYv2rdZTN0Lu+1qYLlClAJZkeFCWgGsMPzlzmqr9+jckmIPiPhrDf1lJtauRDIhRvPq
 iuvkxVAGgY3uguEOWCAq9KRhegP+YIBugf7JpPIjiOoubrBbLtYn9kWUnLw1whNNkp0hfOtRM8icy
 gIL48IKoGennZw3DTMau78V1LpODkTzQeAeBeBwsyV0lhFYyEkNQ8ZOdfKWY9bUFFbcYNFI/LmpI2
 lI=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211910Z
dateOfModify: 20160918211910Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 4
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

# 5, certificateRepository, ca, pki-test-CA
dn: cn=5,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 015
metaInfo: profileId:caSignedLogCert
metaInfo: requestId:5
notBefore: 20160918211912Z
notAfter: 20180908211912Z
duration: 1162208000000
subjectName: CN=CA Audit Signing Certificate,O=englab.pnq.redhat.com Security 
 Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEd7vQHQZJnxDyF4cR
 IbkLQaX5xJmMb0oXxzEMq69UKN6ZOKkUA2JKjykDIP+as0XoOCpfkfUoZPOMQ5hbTJ7lCVgTfD29K
 lWfWTzzlPmRVePMmGSjAae0APxyhzkvpixtscZb069/XNTimwy13Gi+Og92PCpYAB/olcWOoRg4ja
 epZSq96bIvcs4qCAMAfMToznCl39WdBUCahUs37U1+68wIIRRIiqRSAnlBPneqYP9k9OcX69zXWrr
 tVfw8H5WT1fM39pos927w7Feg1jLKy0dbI7lHPKFiHXrS8Ws0Tqa6IEwsiK3TpnQsz9anAINtgN4q
 smzrmF8ACns2paoQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxMloXDTE4MDkwODE1NDkxMlowVzEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjElMCMGA1UEAwwcQ0EgQXVk
 aXQgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRHe
 70B0GSZ8Q8heHESG5C0Gl+cSZjG9KF8cxDKuvVCjemTipFANiSo8pAyD/mrNF6DgqX5H1KGTzjEOY
 W0ye5QlYE3w9vSpVn1k885T5kVXjzJhkowGntAD8coc5L6YsbbHGW9Ovf1zU4psMtdxovjoPdjwqW
 AAf6JXFjqEYOI2nqWUqvemyL3LOKggDAHzE6M5wpd/VnQVAmoVLN+1NfuvMCCEUSIqkUgJ5QT53qm
 D/ZPTnF+vc11q67VX8PB+Vk9XzN/aaLPdu8OxXoNYyystHWyO5RzyhYh160vFrNE6muiBMLIit06Z
 0LM/WpwCDbYDeKrJs65hfAAp7NqWqECAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSV6D6a5mxTmDbD9R
 kgdo72awIcGDAOBgNVHQ8BAf8EBAMCBsAwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzABhjNodHR
 wOi8vY3Nwa2ktdm0xLmVuZ2xhYi5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN
 AQELBQADggEBAHt0LIJlX5z+V+jPjN8xi2dLmsBFsGm2uLptiRShh4gBqwH5iXiwDVN36NHv3k1Nh
 VZoqGGqNGoBttuNotptAd1lpIzgck4/O2mL5vYaaaSDghLr4iq0Y3IJamB4C+b/FIuLrg50t1RLa7
 xd4soN/Zp7iD6pXviuubRXZtrK9GZZV449PaIrzczyvptDIQd0yzj7pJF0J02Lkz3dI1HrONoFOHf
 2fb3vYNU9aLY3QBRg8lFO8UD+p1OQb+WzkuhPmaoFMvlV2tyxnWnXBWIO4SZStwtsgSiESENbk+fT
 LHr7vQMeMdo3MMyBkdv3pWqELKOnnmf6LuLUqxwkQ3W+sPE=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211912Z
dateOfModify: 20160918211912Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 5
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

# 6, certificateRepository, ca, pki-test-CA
dn: cn=6,ou=certificateRepository,ou=ca,o=pki-test-CA
objectClass: top
objectClass: certificateRecord
serialno: 016
metaInfo: profileId:caAdminCert
metaInfo: requestId:6
notBefore: 20160918211914Z
notAfter: 20180908211914Z
duration: 1162208000000
subjectName: CN=PKI Administrator,E=caadmin.redhat.com,O=englab.pnq
 .redhat.com Security Domain
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2Kuh
 AeWOQFCARuLAFpSHNubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoU
 GbJW4tknsKnXF3kemSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCF
 U5kZvSY7wTotuOk59PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bn
 DFn5tHzG++A9gNPa52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9H
 YUP1d0I/+Jc17SaQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIID6zCCAtOgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMS4wLAYDV
 QQKDCVlbmdsYWIucG5xLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaW
 duaW5nIENlcnRpZmljYXRlMB4XDTE2MDkxODE1NDkxNFoXDTE4MDkwODE1NDkxNFowejEuMCwGA1U
 ECgwlZW5nbGFiLnBucS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEsMCoGCSqGSIb3DQEJARYd
 Y2FhZG1pbkBlbmdsYWIucG5xLnJlZGhhdC5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yM
 IIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgrJez5XPvCFCK2KuhAeWOQFCARuLAFpSH
 NubQor9lXrOSnld27qKupZSgn+nlosl5sDPrcCtXYGjIJCAf0yhbFTLIiDuoUGbJW4tknsKnXF3ke
 mSHbcSQrxfN5ghsGoSonbS99JxxcX4wVDMAWOYy7RcjvZbOeBfm590mOrOdCFU5kZvSY7wTotuOk5
 9PzB3csGv/2m/Q9SHoLSl/jBcUcdrEHR6WBhkaz2gm9IZVPLLQn6EuKK9N9bnDFn5tHzG++A9gNPa
 52V6C3OF4tX9//L5SW0iivYP651c5/3/8DotYBJYRoqCgAGwtBGuWdPq6AC9HYUP1d0I/+Jc17SaQ
 IDAQABo4GkMIGhMB8GA1UdIwQYMBaAFJXoPprmbFOYNsP1GSB2jvZrAhwYME8GCCsGAQUFBwEBBEM
 wQTA/BggrBgEFBQcwAYYzaHR0cDovL2NzcGtpLXZtMS5lbmdsYWIucG5xLnJlZGhhdC5jb206ODA4
 MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwD
 QYJKoZIhvcNAQELBQADggEBAAiST8ttMd9hokgOBgpFqTXP7TrboM9W54ZgE7BuSWo+dO1Rb4534Y
 5G9XX6ZIli5BK3SZLyNBNor4wGSH5qxHwMpay0lC0i2SaDXMPEG0u2VBmY8MWrDman/b2H5Tz4oz4
 N23TGirCKXxPL2p2i9zzQ3Sx3Um5kBBCiEgiF5zX91IFeutveWaqQfRyL/I3UvBXuL828tXpRG4IB
 8D6bdbc+SnSVibb82IkwFoMBfY+egTMZSAL8p7yNJdFYq1BFnXwDoTsYQrL4PciYdUPEzMmbeNtUT
 rYTk4kVsPUFpJFbdDfT4JIBIafZfDM0BpvJOVlLoQRIbHQr3+c4eSuP7fI=
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20160918211914Z
dateOfModify: 20160918211914Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: system
cn: 6
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

6. Verify all the 6 certs have new attribute "issureName" added with correct IssuerName

[root@cspki-vm1 ca]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA"  | grep issuerName
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

Comment 6 Geetika Kapoor 2016-09-14 06:59:04 UTC

Test Case 1: To verify that new attribute "issureName" gets added.

[root@cspki-vm1 ca]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -p 3389 -h 10.65.201.81 -b "ou=certificateRepository,ou=ca,o=pki-test-CA"  | grep issuerName
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain

Test Case 2: Add a new cert in the ldap without a issuerName.Do an db-update and see if the attribute is getting added when a usercert has different IssuerName.

issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,O=englab.pnq.redhat.com Security Domain
issuerName: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarma

Test Case 3: Add an LDAP entry and "UserCertificate" is incorrect and doesn't have a correct issuerNAme .

Verified that pki-server db-update fails with the exception.

  File "/usr/lib/python2.7/site-packages/pki/server/cli/db.py", line 226, in add_issuer_name
    cert = nss.Certificate(bytearray(attr_cert[0]))
NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.
ERROR: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.

Comment 7 Geetika Kapoor 2016-09-14 07:02:10 UTC

Hello,

I have added above mentioned test cases.I think this testing is only for CA subsystem.

Thanks
Geetika

Comment 8 Geetika Kapoor 2016-09-26 13:36:49 UTC

Could you please clarify if this testing needs to done for other subsystems like KRA,OCSP,TKS and TPS? I have tested for CA only.

Comment 10 Endi Sukma Dewata 2016-09-27 19:30:49 UTC

I think this bug has already been verified in comment #5 or test case 1 in comment #6.

I'm not sure about the expected result for test case 3. If it's a problem please open a separate bug.

Since certificate records only exist in CA, this test does not need to be executed on other subsystems.

Comment 12 errata-xmlrpc 2016-11-04 05:23:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.