Bug 1458429 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C"
Summary: client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-02 20:24 UTC by Roshni
Modified: 2020-10-04 21:31 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.4.1-8.el7
Doc Type: Bug Fix
Doc Text:
CA certificates are now imported with correct trust flags Previously, the "pki client-cert-import" command imported CA certificates with `CT,c,` trust flags, which was insufficient and inconsistent with other PKI tools. With this update, the command has been fixed and now sets the trust flags for CA certificates to `CT,C,C`.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:52:53 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2846 0 None None None 2020-10-04 21:31:46 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Roshni 2017-06-02 20:24:16 UTC 
Description of problem:
client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C"

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-7.el7.noarch

How reproducible:
always

Steps to Reproduce:
[root@vm-idm-011 slapd-pki]# pki -d . -C password.txt client-cert-import "CA Certificate" --ca-cert ca.crt 
-------------------------------------
Imported certificate "CA Certificate"
-------------------------------------
[root@vm-idm-011 slapd-pki]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Certificate                                               CT,c,

Actual results:


Expected results:
The trust bits should be set to "CT,C,C"

Additional info:
Comment 2 Endi Sukma Dewata 2017-06-03 02:06:50 UTC 
Fixed in master

* https://github.com/dogtagpki/pki/commit/64b7b7abfed29b6a520be66414139364d713461e
Comment 4 Roshni 2017-06-12 15:39:57 UTC 
[root@nocp1 slapd-pki-ca-Jun12-LDAP]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 8.el7
Architecture: noarch
Install Date: Thu 08 Jun 2017 01:35:57 AM EDT
Group       : System Environment/Daemons
Size        : 2308437
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-8.el7.src.rpm
Build Date  : Thu 08 Jun 2017 12:46:20 AM EDT
Build Host  : nocp1.idm.lab.eng.rdu2.redhat.com
Relocations : (not relocatable)
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


[root@nocp1 slapd-pki-ca-Jun12-LDAP]# pki -d . -C password.txt client-cert-import "CA Certificate" --ca-cert ca.crt 
-------------------------------------
Imported certificate "CA Certificate"
-------------------------------------
[root@nocp1 slapd-pki-ca-Jun12-LDAP]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Certificate                                               CT,C,C
Comment 5 errata-xmlrpc 2017-08-01 22:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110
Note You need to log in before you can comment on or make changes to this bug.