During CA installation on RHEL 6.8 the BackupKeyCertPanel will export the system certificates and the CA certificates (trust anchors) into a PKCS #12 file. However, since the CA signing certificate is considered both system certificate and trust anchor, it will be exported twice. The first copy will have a nickname, while the second copy will not have a nickname. Depending on how the PKCS #12 file is used, the duplicate certificates and the missing nickname may cause a problem.

Here's the relevant code in BackupKeyCertPanel.backupKeysCerts():

  // export system certificates with nicknames

  String certlist = cs.getString("preop.cert.list");
  StringTokenizer st = new StringTokenizer(certlist, ",");
  while (st.hasMoreTokens()) {
      String nickname = cs.getString("preop.cert." + t + ".nickname");
      addCertBag(x509cert, nickname, safeContents);
  }

  // export CA certificates without nicknames

  X509Certificate[] cacerts = cm.getCACerts();
  for (int i=0; i<cacerts.length; i++) {
      String nickname = null;
      addCertBag(cacerts[i], nickname, safeContents);
  }

The problem happens on RHEL 6.8 and possibly earlier RHEL 7.x. The problem does not happen on RHEL 7.3 since it uses a different code to export the certificates.

Steps to reproduce:
1. Install CA (or IPA). Make sure the backup option is enabled.
2. Inspect the content of the PKCS #12 file with this command:

  $ openssl pkcs12 -in cacert.p12 -passin file:password.txt

Actual results:

The CA certificate will appear twice:

  Bag Attributes
      localKeyID: ...
      friendlyName: caSigningCert cert-pki-ca
  subject=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority
  issuer=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority

  ...

  Bag Attributes: <No Attributes>
  subject=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority
  issuer=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority

Expected results:

Ideally the CA certificate should only appear once with the proper nickname.

Note that the PKCS12Export does not have this problem since it exports all certificates from the NSS database:

  X509Certificate[] certs = store.getCertificates();
  for (int i=0; i<certs.length; i++) {
      String nickname = certs[i].getNickname();
      if (prikey == null) { // certificate doesn't have a key, no nickname
          addCertBag(certs[i], null, safeContents);
      } else { // certificate has a key, include nickname
          addCertBag(certs[i], nickname, safeContents);
      }
  }

There are several options to address this issue:
1. Fix the code to generate a valid PKCS #12 file (i.e. no duplicate certificates).
2. Don't generate a PKCS #12 during install (i.e. no invalid PKCS #12 file).
3. Include a documentation or release note describing the problem, and possibly advising the users against using the PKCS #12 file generated during install.
4. Don't change anything, simply close this ticket as won't fix. This ticket will serve as a documentation.

As a workaround, the certificates can be exported correctly using PKCS12Export after installation.