Bug 1466894 - update-ca-trust for Java doesn't handle self-signed certificates without CA extension
update-ca-trust for Java doesn't handle self-signed certificates without CA e...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ca-certificates (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Kai Engert (:kaie)
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2017-06-30 13:03 EDT by Chris Dolphy
Modified: 2017-06-30 13:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-06-30 13:19:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Dolphy 2017-06-30 13:03:21 EDT
Description of problem:
update-ca-trust only uses CA certs (certificate with the CA extentions set) but for development our customer's use self-signed certs which then are ignored by update-ca-trust.

For pre-production software development, self-signed certificates are often used instead of CA signed certificates.  Clients of the services using these certificates need to trust them and when trying to use them are ignored by update-ca-trust.  When keytool is used to generate the certificate, it will not set the CA flag unless specifically instructed, so this is an issue that is encountered frequently.

To summarize:
1) can't use keytool because update-ca-trust overwrites it
2) can't use update-ca-trust because it ignores their certificates
3) can't (easily) change certificate because it is from a 3rd party server certificate in a test environment

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. generate a self signed certificate with java's keytool:
keytool -genkey -alias example -keyalg RSA -keystore keystore.jks -keysize 2048 -dname cn=example.com
2. extract cert to pem:
keytool -export -alias example -file example.crt -keystore keystore.jks
3. copy cert to /etc/pki/ca-trust/source/
cp example.crt /etc/pki/ca-trust/source/
4. run update-ca-trust
5. check for certificate in cacerts:
 keytool -list -keystore /etc/pki/java/cacerts -storepass changeit

Actual results:
New certificate not in cacerts:

Expected results:
Certificate in cacerts!

Additional info:
Changing filter in update-ca-certs for java fixes this.

/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=java-cacerts --filter=certificates --overwrite --purpose server-auth $DEST/java/cacerts

However, other options may be a better fix.

Note You need to log in before you can comment on or make changes to this bug.