Bug 1401620 - Expiring /C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6 certificate
Summary: Expiring /C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6 certif...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ca-certificates
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 17:39 UTC by Hubert Kario
Modified: 2017-08-31 13:33 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-31 13:33:04 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Hubert Kario 2016-12-05 17:39:09 UTC 
Certificate will expire on 2017-11-20

ca-certificates-2015.2.6-65.0.1.el6_7.noarch

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6
        Validity
            Not Before: Nov 20 21:19:58 2003 GMT
            Not After : Nov 20 21:19:58 2017 GMT
        Subject: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:3d:f5:2c:c9:94:dc:75:8a:95:5d:63:e8:84:
                    77:76:66:b9:59:91:5c:46:dd:92:3e:9f:f9:0e:03:
                    b4:3d:61:92:bd:23:26:b5:63:ee:92:d2:9e:d6:3c:
                    c8:0d:90:5f:64:81:b1:a8:08:0d:4c:d8:f9:d3:05:
                    28:52:b4:01:25:c5:95:1c:0c:7e:3e:10:84:75:cf:
                    c1:19:91:63:cf:e8:a8:91:88:b9:43:52:bb:80:b1:
                    55:89:8b:31:fa:d0:b7:76:be:41:3d:30:9a:a4:22:
                    25:17:73:e8:1e:e2:d3:ac:2a:bd:5b:38:21:d5:2a:
                    4b:d7:55:7d:e3:3a:55:bd:d7:6d:6b:02:57:6b:e6:
                    47:7c:08:c8:82:ba:de:a7:87:3d:a1:6d:b8:30:56:
                    c2:b3:02:81:5f:2d:f5:e2:9a:30:18:28:b8:66:d3:
                    cb:01:96:6f:ea:8a:45:55:d6:e0:9d:ff:67:2b:17:
                    02:a6:4e:1a:6a:11:0b:7e:b7:7b:e7:98:d6:8c:76:
                    6f:c1:3b:db:50:93:7e:e5:d0:8e:1f:37:b8:bd:ba:
                    c6:9f:6c:e9:7c:33:f2:32:3c:26:47:fa:27:24:02:
                    c9:7e:1d:5b:88:42:13:6a:35:7c:7d:35:e9:2e:66:
                    91:72:93:d5:32:26:c4:74:f5:53:a3:b3:5d:9a:f6:
                    09:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name: 
                email:pki-ops
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.101.3.2.1.1.1
                  CPS: http://www.trustdst.com/certificates/policy/ACES-index.html

            X509v3 Subject Key Identifier: 
                09:72:06:4E:18:43:0F:E5:D6:CC:C3:6A:8B:31:7B:78:8F:A8:83:B8
    Signature Algorithm: sha1WithRSAEncryption
         a3:d8:8e:d6:b2:db:ce:05:e7:32:cd:01:d3:04:03:e5:76:e4:
         56:2b:9c:99:90:e8:08:30:6c:df:7d:3d:ee:e5:bf:b5:24:40:
         84:49:e1:d1:28:ae:c4:c2:3a:53:30:88:f1:f5:77:6e:51:ca:
         fa:ff:99:af:24:5f:1b:a0:fd:f2:ac:84:ca:df:a9:f0:5f:04:
         2e:ad:16:bf:21:97:10:81:3d:e3:ff:87:8d:32:dc:94:e5:47:
         8a:5e:6a:13:c9:94:95:3d:d2:ee:c8:34:95:d0:80:d4:ad:32:
         08:80:54:3c:e0:bd:52:53:d7:52:7c:b2:69:3f:7f:7a:cf:6a:
         74:ca:fa:04:2a:9c:4c:5a:06:a5:e9:20:ad:45:66:0f:69:f1:
         dd:bf:e9:e3:32:8b:fa:e0:c1:86:4d:72:3c:2e:d8:93:78:0a:
         2a:f8:d8:d2:27:3d:19:89:5f:5a:7b:8a:3b:cc:0c:da:51:ae:
         c7:0b:f7:2b:b0:37:05:ec:bc:57:23:e2:38:d2:9b:68:f3:56:
         12:88:4f:42:7c:b8:31:c4:b5:db:e4:c8:21:34:e9:48:11:35:
         ee:fa:c7:92:57:c5:9f:34:e4:c7:f6:f7:0e:0b:4c:9c:68:78:
         7b:71:31:c7:eb:1e:e0:67:41:f3:b7:a0:a7:cd:e5:7a:33:36:
         6a:fa:9a:2b

SHA256 fingerprint: 67c955a76412c89af688e90a1c70f556cfd6b6025dbea10416d7eb6831f8c40
Comment 1 Kai Engert (:kaie) (inactive account) 2017-08-31 13:33:04 UTC 
I'm declaring this bug unnecessary. I suggest to stop filing such bugs in the future.

The only reason we have started to file them was an exceptional issue in the past, which hasn't ever occurred again, when a CA created an emergency refresh of a root certificate with the same key and extended validity.

The package maintainer of the ca-certificates package must carefully watch all new releases of the upstream release for such occurrences, which shall be sufficient to detect if urgent action for RHEL is necessary.

The fact that this bug has been filed doesn't help, as it would require to constantly "poll" for new upstream changes affecting this CA. This is unrealistic.

We need a "push" notification, made by the package maintainer, by watching upstream changes.
Note You need to log in before you can comment on or make changes to this bug.