Description of problem:
If I add my custom CA to both /etc/pki/ca-trust/source/anchors and /etc/pki/ca-trust/source/blacklist (and run update-ca-trust), certificates signed by this CA are trusted.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. generate a CA and a server cert signed by it
2. add the CA to both /etc/pki/ca-trust/source/anchors and /etc/pki/ca-trust/source/blacklist
4. verify server cert (certtool --verify <server.pem)
Chain verification output: Verified. The certificate is trusted.
Blacklist has priority, server cert is not trusted.
I did further investigation and it really seems that the issue is only in this corner case. Blacklisting CA that is included in system by default works as expected.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.