Description of problem:
update-ca-trust does not give any feedback at all. Even if there are invalid certificates (without CA Flag) in /etc/pki/ca-trust/source/anchors/ no error message is given, the script even exists with a zero status
Version-Release number of selected component (if applicable):
Name : ca-certificates
Version : 2017.2.14
Release : 71.el7
Just put a normal certificate (without CA Flag) in /etc/pki/ca-trust/source/anchors/ and run update-ca-trust. No error message or warning is given.
There should be some kind of warning or error message if the certificate in /etc/pki/ca-trust/source/anchors/ can not be used as a CA.
The CA certificates are processed by p11-kit, so I'm reassigning the component.
I think it's a good idea to have a consistency check for the data stored in the source directories, and get a report, that update-ca-certificates could display.
This functionality would have to be implemented by the upstream p11-kit project.
Although I filed a PR in upstream some time ago, I am tempted to withdraw the change:
The rationale is, while anchors are typically a CA certificate, there may be a use-case of marking end entity certificates trusted or distrusted, as it was possible with the trust assertions (the predecessor of trust policies):
The design document of trust policies also has this paragraph:
"At one end of a certificate chain is the end entity certificate, which is the certificate that is being validated. At the other end the certificate chain is anchored by a trust anchor. This is a public key that is explicitly trusted by the local system, either by default or by a deliberate configuration choice. Usually this public key is represented as a certificate. The anchor is usually, but not always, a root self-signed certificate authority."
I read this as the trust of a certificate chain could be asserted out-of-band (by the local system configuration), such as only taking into account of partial certificate chain.
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.