Bug 1466043 - Cert validity check is invalid when system date changes
Cert validity check is invalid when system date changes
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: RHCS Maintainers
Asha Akkiangady
: GSSTriaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 16:44 EDT by Matthew Harmsen
Modified: 2017-11-15 11:00 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-15 11:00:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Harmsen 2017-06-28 16:44:29 EDT
The cert VALIDITY from CA database is printed when the command pki ca-cert-find is executed. When the system date passes the validity range and then when system date is changed back within the validity range, the cert's validity is set as EXPIRED even though it is still valid.


STEPS TO REPRODUCE:

    Check system date and validity of a certificate
    Set system date to a date beyond the expiry date
    Restart PKI instance
    Check validity through pki ca-cert-find. The certificate should be listed as EXPIRED.
    Change back the system date and restart PKI server
    Check validity through pki ca-cert-find. The certificate is still listed as EXPIRED.


EXPECTED:

The certificate's validity should be checked against local date and so the certificate should be changed to VALID.


LOG:

All Certificate are VALID but are listed as EXPIRED

[root@localhost pki-config]# pki ca-cert-find
---------------
8 entries found
---------------
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Tue Jun 27 12:52:20 EDT 2034
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x2
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x3
  Subject DN: CN=localhost.localdomain,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x4
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x5
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x6
  Subject DN: CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:21 EDT 2014
  Not Valid After: Thu Jun 16 12:52:21 EDT 2016
  Issued On: Fri Jun 27 12:52:21 EDT 2014
  Issued By: system

  Serial Number: 0x7
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sun Jun 28 17:41:26 EDT 2015
  Not Valid After: Sat Jun 17 17:41:26 EDT 2017
  Issued On: Sun Jun 28 18:14:09 EDT 2015
  Issued By: caadmin

  Serial Number: 0x8
  Subject DN: CN=localhost.localdomain,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Aug 28 10:26:24 EDT 2015
  Not Valid After: Thu Jul 27 10:26:24 EDT 2017
  Issued On: Sun Jun 28 10:41:12 EDT 2015
  Issued By: caadmin
----------------------------
Number of entries returned 8
----------------------------
[root@localhost pki-config]# date
Thu Feb 25 11:05:29 EST 2016



See also this ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1462308

The cert status in the cert record might be used for CRL generation.
Comment 2 Matthew Harmsen 2017-10-25 12:57:13 EDT
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Comment 3 Matthew Harmsen 2017-11-15 11:00:51 EST
ftweedal wrote:

Per discussion with Ade, closing this INVALID. If it actually breaks something please reopen and provide more info.

Note You need to log in before you can comment on or make changes to this bug.