1466043 – Cert validity check is invalid when system date changes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1466043 - Cert validity check is invalid when system date changes

Summary: Cert validity check is invalid when system date changes

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-28 20:44 UTC by Matthew Harmsen
Modified:	2020-10-04 21:34 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-15 16:00:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2889	0	None	None	None	2020-10-04 21:34:27 UTC

Description Matthew Harmsen 2017-06-28 20:44:29 UTC

The cert VALIDITY from CA database is printed when the command pki ca-cert-find is executed. When the system date passes the validity range and then when system date is changed back within the validity range, the cert's validity is set as EXPIRED even though it is still valid.


STEPS TO REPRODUCE:

    Check system date and validity of a certificate
    Set system date to a date beyond the expiry date
    Restart PKI instance
    Check validity through pki ca-cert-find. The certificate should be listed as EXPIRED.
    Change back the system date and restart PKI server
    Check validity through pki ca-cert-find. The certificate is still listed as EXPIRED.


EXPECTED:

The certificate's validity should be checked against local date and so the certificate should be changed to VALID.


LOG:

All Certificate are VALID but are listed as EXPIRED

[root@localhost pki-config]# pki ca-cert-find
---------------
8 entries found
---------------
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Tue Jun 27 12:52:20 EDT 2034
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x2
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x3
  Subject DN: CN=localhost.localdomain,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x4
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x5
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:20 EDT 2014
  Not Valid After: Thu Jun 16 12:52:20 EDT 2016
  Issued On: Fri Jun 27 12:52:20 EDT 2014
  Issued By: system

  Serial Number: 0x6
  Subject DN: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Jun 27 12:52:21 EDT 2014
  Not Valid After: Thu Jun 16 12:52:21 EDT 2016
  Issued On: Fri Jun 27 12:52:21 EDT 2014
  Issued By: system

  Serial Number: 0x7
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sun Jun 28 17:41:26 EDT 2015
  Not Valid After: Sat Jun 17 17:41:26 EDT 2017
  Issued On: Sun Jun 28 18:14:09 EDT 2015
  Issued By: caadmin

  Serial Number: 0x8
  Subject DN: CN=localhost.localdomain,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Fri Aug 28 10:26:24 EDT 2015
  Not Valid After: Thu Jul 27 10:26:24 EDT 2017
  Issued On: Sun Jun 28 10:41:12 EDT 2015
  Issued By: caadmin
----------------------------
Number of entries returned 8
----------------------------
[root@localhost pki-config]# date
Thu Feb 25 11:05:29 EST 2016



See also this ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1462308

The cert status in the cert record might be used for CRL generation.

Comment 2 Matthew Harmsen 2017-10-25 16:57:13 UTC

[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Comment 3 Matthew Harmsen 2017-11-15 16:00:51 UTC

ftweedal wrote:

Per discussion with Ade, closing this INVALID. If it actually breaks something please reopen and provide more info.

Note You need to log in before you can comment on or make changes to this bug.