Red Hat Bugzilla – Bug 1466894
update-ca-trust for Java doesn't handle self-signed certificates without CA extension
Last modified: 2017-06-30 13:38:46 EDT
Description of problem:
update-ca-trust only uses CA certs (certificate with the CA extentions set) but for development our customer's use self-signed certs which then are ignored by update-ca-trust.
For pre-production software development, self-signed certificates are often used instead of CA signed certificates. Clients of the services using these certificates need to trust them and when trying to use them are ignored by update-ca-trust. When keytool is used to generate the certificate, it will not set the CA flag unless specifically instructed, so this is an issue that is encountered frequently.
1) can't use keytool because update-ca-trust overwrites it
2) can't use update-ca-trust because it ignores their certificates
3) can't (easily) change certificate because it is from a 3rd party server certificate in a test environment
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. generate a self signed certificate with java's keytool:
keytool -genkey -alias example -keyalg RSA -keystore keystore.jks -keysize 2048 -dname cn=example.com
2. extract cert to pem:
keytool -export -alias example -file example.crt -keystore keystore.jks
3. copy cert to /etc/pki/ca-trust/source/
cp example.crt /etc/pki/ca-trust/source/
4. run update-ca-trust
5. check for certificate in cacerts:
keytool -list -keystore /etc/pki/java/cacerts -storepass changeit
New certificate not in cacerts:
Certificate in cacerts!
Changing filter in update-ca-certs for java fixes this.
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=java-cacerts --filter=certificates --overwrite --purpose server-auth $DEST/java/cacerts
However, other options may be a better fix.