RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1461533 - Unable to find keys in the p12 file after deleting the any of the subsystem certs from it
Summary: Unable to find keys in the p12 file after deleting the any of the subsystem c...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-14 17:32 UTC by Roshni
Modified: 2020-10-04 21:32 UTC (History)
2 users (show)

Fixed In Version: pki-core-10.4.1-10.el7
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-08-01 22:52:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2861 0 None None None 2020-10-04 21:32:46 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Roshni 2017-06-14 17:32:00 UTC 
Description of problem:
Unable to fing key for caSigning cert in the p12 file after deleting the other subsystem certs from it

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-9.el7.noarch

How reproducible:
always

Steps to Reproduce:
[root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Certificate ID: 84fc8b893166c5b1c019d64971df4364d5013bd9
  Serial Number: 0xb59aeb9
  Nickname: caSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: d878ba1b5cfb5bac41b4cda35d6d4bf90c4ae03
  Serial Number: 0xae25138
  Nickname: ocspSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953
  Serial Number: 0x3a59faa
  Nickname: Server-Cert cert-pki-tomcat-ca-rpattath
  Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: f352186fcb9855d639113e82576bc11816f462a8
  Serial Number: 0xa2b677
  Nickname: subsystemCert cert-pki-tomcat-ca-rpattath
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae
  Serial Number: 0x4e1a3bd
  Nickname: auditSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,Pu
  Has Key: true
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Key ID: 84fc8b893166c5b1c019d64971df4364d5013bd9
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: d878ba1b5cfb5bac41b4cda35d6d4bf90c4ae03
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953
  Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: f352186fcb9855d639113e82576bc11816f462a8
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
[root@nightcrawler ~]# pki pkcs12-cert-del "ocspSigningCert cert-pki-tomcat-ca-rpattath CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
--------------------------------------------------------------------
Deleted certificate "ocspSigningCert cert-pki-tomcat-ca-rpattath CA"
--------------------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-cert-del "auditSigningCert cert-pki-tomcat-ca-rpattath CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------------------------------------------------------------
Deleted certificate "auditSigningCert cert-pki-tomcat-ca-rpattath CA"
---------------------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-cert-del "Server-Cert cert-pki-tomcat-ca-rpattath" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
-------------------------------------------------------------
Deleted certificate "Server-Cert cert-pki-tomcat-ca-rpattath"
-------------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-cert-del "subsystemCert cert-pki-tomcat-ca-rpattath" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------------------------------------------------------
Deleted certificate "subsystemCert cert-pki-tomcat-ca-rpattath"
---------------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
1 entries found
---------------
  Certificate ID: 84fc8b893166c5b1c019d64971df4364d5013bd9
  Serial Number: 0xb59aeb9
  Nickname: caSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: CTu,Cu,Cu
  Has Key: false
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
0 entries found
---------------

Actual results:


Expected results:


Additional info:
Comment 2 Roshni 2017-06-14 17:50:52 UTC 
http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_PKCS12_File cannot be tested because of this issue.
Comment 4 Roshni 2017-06-14 18:19:44 UTC 
More information:

[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Key ID: 84fc8b893166c5b1c019d64971df4364d5013bd9
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: d878ba1b5cfb5bac41b4cda35d6d4bf90c4ae03
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953
  Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: f352186fcb9855d639113e82576bc11816f462a8
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain

  Key ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
[root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Certificate ID: 84fc8b893166c5b1c019d64971df4364d5013bd9
  Serial Number: 0xb59aeb9
  Nickname: caSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: d878ba1b5cfb5bac41b4cda35d6d4bf90c4ae03
  Serial Number: 0xae25138
  Nickname: ocspSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953
  Serial Number: 0x3a59faa
  Nickname: Server-Cert cert-pki-tomcat-ca-rpattath
  Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: f352186fcb9855d639113e82576bc11816f462a8
  Serial Number: 0xa2b677
  Nickname: subsystemCert cert-pki-tomcat-ca-rpattath
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae
  Serial Number: 0x4e1a3bd
  Nickname: auditSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,Pu
  Has Key: true
[root@nightcrawler ~]# pki pkcs12-cert-del "ocspSigningCert cert-pki-tomcat-ca-rpattath CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
--------------------------------------------------------------------
Deleted certificate "ocspSigningCert cert-pki-tomcat-ca-rpattath CA"
--------------------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
0 entries found
---------------
[root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
4 entries found
---------------
  Certificate ID: 84fc8b893166c5b1c019d64971df4364d5013bd9
  Serial Number: 0xb59aeb9
  Nickname: caSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: CTu,Cu,Cu
  Has Key: false

  Certificate ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953
  Serial Number: 0x3a59faa
  Nickname: Server-Cert cert-pki-tomcat-ca-rpattath
  Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: false

  Certificate ID: f352186fcb9855d639113e82576bc11816f462a8
  Serial Number: 0xa2b677
  Nickname: subsystemCert cert-pki-tomcat-ca-rpattath
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,u
  Has Key: false

  Certificate ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae
  Serial Number: 0x4e1a3bd
  Nickname: auditSigningCert cert-pki-tomcat-ca-rpattath CA
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Trust Flags: u,u,Pu
  Has Key: false
Comment 5 Fraser Tweedale 2017-06-15 02:44:03 UTC 
Gerrit review for fix: https://review.gerrithub.io/365533
Comment 6 Matthew Harmsen 2017-06-16 00:07:45 UTC 
commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de
Author: Fraser Tweedale <ftweedal>
Date:   Thu Jun 15 12:38:26 2017 +1000

    Fix regression in pkcs12 key bag creation
    
    Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
    file handing to never deal with raw private key material.
    PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
    or fail.  This change missed this case where a PKCS #12 file is
    loaded from file, possibly modified, then written back to a file,
    without involving an NSSDB.  One example is pkcs12-cert-del which
    deletes a certificate and associated key from a PKCS #12 file.
    
    Fix the PKCS12Util.addKeyBag() method to use the stored
    EncryptedPricateKeyInfo if available, otherwise export the
    PrivateKey handle.
    
    Fixes: https://pagure.io/dogtagpki/issue/2741
    Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
Comment 7 Matthew Harmsen 2017-06-19 22:45:08 UTC 
commit 887d70ce1b8c4a00f62c2b4eec24326e487da5bd
Author: Fraser Tweedale <ftweedal>
Date:   Thu Jun 15 12:38:26 2017 +1000

    Fix regression in pkcs12 key bag creation
    
    Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
    file handing to never deal with raw private key material.
    PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
    or fail.  This change missed this case where a PKCS #12 file is
    loaded from file, possibly modified, then written back to a file,
    without involving an NSSDB.  One example is pkcs12-cert-del which
    deletes a certificate and associated key from a PKCS #12 file.
    
    Fix the PKCS12Util.addKeyBag() method to use the stored
    EncryptedPricateKeyInfo if available, otherwise export the
    PrivateKey handle.
    
    Fixes: https://pagure.io/dogtagpki/issue/2741
    Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
    (cherry picked from commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de)
Comment 9 Roshni 2017-06-23 19:14:23 UTC 
[root@nightcrawler ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 10.el7
Architecture: noarch
Install Date: Fri 23 Jun 2017 02:53:39 PM EDT
Group       : System Environment/Daemons
Size        : 2308399
License     : GPLv2
Signature   : RSA/SHA256, Tue 20 Jun 2017 09:41:59 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-10.el7.src.rpm
Build Date  : Tue 20 Jun 2017 01:23:22 AM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


[root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Certificate ID: abc0ba923b8775f146aacfa48da6db760fea3be7
  Serial Number: 0x2
  Nickname: ocspSigningCert cert-pki-rootca CA
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a
  Serial Number: 0x1
  Nickname: caSigningCert cert-pki-rootca CA
  Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: efcbe0603aaea6242d9c22cfd72b0c0fb8fa0931
  Serial Number: 0x4
  Nickname: subsystemCert cert-pki-rootca
  Subject DN: CN=Subsystem Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 8059c2f1482305c2874866b6d994eb81157ecd2
  Serial Number: 0x3
  Nickname: Server-Cert cert-pki-rootca
  Subject DN: CN=kvm-02-guest13.rhts.eng.bos.redhat.com,OU=pki-rootca,O=pki-rootca-sec-domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 17414509c7f1cb2f1c5cab21d39fd848eb08cdda
  Serial Number: 0x5
  Nickname: auditSigningCert cert-pki-rootca CA
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
  Trust Flags: u,u,Pu
  Has Key: true
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Key ID: abc0ba923b8775f146aacfa48da6db760fea3be7
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: efcbe0603aaea6242d9c22cfd72b0c0fb8fa0931
  Subject DN: CN=Subsystem Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a
  Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: 8059c2f1482305c2874866b6d994eb81157ecd2
  Subject DN: CN=kvm-02-guest13.rhts.eng.bos.redhat.com,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: 17414509c7f1cb2f1c5cab21d39fd848eb08cdda
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
[root@nightcrawler ~]# pki pkcs12-cert-del "Server-Cert cert-pki-rootca" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
-------------------------------------------------
Deleted certificate "Server-Cert cert-pki-rootca"
-------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
4 entries found
---------------
  Key ID: abc0ba923b8775f146aacfa48da6db760fea3be7
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: efcbe0603aaea6242d9c22cfd72b0c0fb8fa0931
  Subject DN: CN=Subsystem Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a
  Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: 17414509c7f1cb2f1c5cab21d39fd848eb08cdda
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
[root@nightcrawler ~]# pki pkcs12-cert-del "subsystemCert cert-pki-rootca" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------------------------------------------
Deleted certificate "subsystemCert cert-pki-rootca"
---------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-cert-del "auditSigningCert cert-pki-rootca CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------------------------------------------------
Deleted certificate "auditSigningCert cert-pki-rootca CA"
---------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
2 entries found
---------------
  Key ID: abc0ba923b8775f146aacfa48da6db760fea3be7
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain

  Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a
  Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
[root@nightcrawler ~]# pki pkcs12-cert-del "ocspSigningCert cert-pki-rootca CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
--------------------------------------------------------
Deleted certificate "ocspSigningCert cert-pki-rootca CA"
--------------------------------------------------------
[root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
1 entries found
---------------
  Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a
  Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain
Comment 10 errata-xmlrpc 2017-08-01 22:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110
Note You need to log in before you can comment on or make changes to this bug.