Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1597727

Summary:	CA - Unable to change a certificate’s revocation reason from superceded to key_compromised
Product:	Red Hat Enterprise Linux 7	Reporter:	Amy Farley <afarley>
Component:	pki-core	Assignee:	RHCS Maintainers <rhcs-maint>
Status:	CLOSED ERRATA	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.5	CC:	cfu, gkapoor, mharmsen, tscherf
Target Milestone:	rc	Keywords:	TestCaseProvided
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	pki-core-10.5.17-2.el7, pki-core-10.5.17-2.el7pki	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-03-31 19:53:50 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Comment 3 Christina Fu 2019-09-06 00:08:05 UTC

Looks like this was the "missing patch" referenced from
commit e4b9e6ed3cf03bd8c026d2d944b615f9b306219a
which references https://bugzilla.redhat.com/show_bug.cgi?id=1470410

In other words, it's already committed.

Comment 4 Christina Fu 2019-09-06 00:20:16 UTC

Testing procedure:

You could try the sslget way as provided in comment #0,
or you could try the following, which is similar to what I have in https://bugzilla.redhat.com/show_bug.cgi?id=1470410#c13
but I can provide the following to stick close to the scenario reported in comment#0.

in TPS CS.cfg, change revokeCert.reason to 4 (superceded) for the following
op.enroll.userKey.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential=false
op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeCert=true
op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeCert.reason=4
op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeExpiredCerts=false
op.enroll.userKey.keyGen.encryption.recovery.terminated.scheme=GenerateNewKey
...
op.enroll.userKey.keyGen.signing.recovery.terminated.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.terminated.revokeCert.reason=4
op.enroll.userKey.keyGen.signing.recovery.terminated.revokeExpiredCerts=false
op.enroll.userKey.keyGen.signing.recovery.terminated.scheme=GenerateNewKey

Note the default of the following revokeCert.reasons is 1 (key compromise)
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential=false
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts=false
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
...
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential=false
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts=false
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey

Take a previously enrolled token ( I used tpsclient) and as a TPS admin, change status of the token to "terminated".
Check on CA for the revocation reason for the certs on token, which should be "certificate superceded".

Now as a TPS admin, change status of the token to "permanently lost".
Check on CA for the revocation reason for the certs on token, which should now be "Key compromised."

Comment 6 Geetika Kapoor 2020-01-03 12:23:59 UTC

Test Env :
=========

# cat /etc/os-release 
NAME="Red Hat Enterprise Linux Server"
VERSION="7.8 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.8"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.8 Beta (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.8:beta:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.8
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.8 Beta"


Test rpm:
========

# rpm -qa pki-*
pki-base-java-10.5.17-6.el7.noarch
pki-server-10.5.17-6.el7.noarch
pki-ca-10.5.17-6.el7.noarch
pki-tools-10.5.17-6.el7.x86_64
pki-ocsp-10.5.17-6.el7pki.noarch
pki-kra-10.5.17-6.el7.noarch
pki-base-10.5.17-6.el7.noarch
pki-symkey-10.5.17-6.el7.x86_64
pki-console-10.5.17-1.el7pki.noarch
pki-tks-10.5.17-6.el7pki.noarch
pki-tps-10.5.17-6.el7pki.x86_64


Test Steps:
===========

1. Generate one certificate.

pki -p 20080 -c SECret.123 -d  /opt/pki/certdb/ -n "PKI CA Administrator for Example.Org" client-cert-request uid=testuser

# pki -p 20080 -c SECret.123 -d  /opt/pki/certdb/ -n "PKI CA Administrator for Example.Org" ca-cert-request-review 22 --action approve
-------------------------------
Approved certificate request 22
-------------------------------
  Request ID: 22
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x14

-- Check ldap entry for it.

# ldapsearch -H ldap://10.0.97.202:3389 -x -D "CN=Directory Manager" -W -b "cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA" -s base -a always "(objectClass=*)" "*"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA> with scope baseObject
# filter: (objectClass=*)
# requesting: * 
#

# 20, certificateRepository, ca, topology-03-CA-CA
dn: cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA
objectClass: top
objectClass: certificateRecord
serialno: 0220
metaInfo: requestId:22
metaInfo: profileId:caUserCert
notBefore: 20200103071600Z
notAfter: 20200701071600Z
duration: 1115548400000
subjectName: UID=testuser
issuerName: CN=CA Signing Certificate,OU=topology-03-CA,O=topology-03_Foobarma
 ster.org
publicKeyData:: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQQHvwfKDNcnqTNYWW4gclRk
 Fn75npl/A7+MwvymN+LF0LJYoVcHgIoYWSEysD+SQF4PBE3HNpBjuglmZo/dLEzqO66gEAVh0Ui4q
 Q3biPErbuHeehpCDgy4+LMHuw2Zz+ol25vFijEjyz6aKknQMmNbrYX0PppvDUH7YipPJxpQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDCTCCAfGgAwIBAgIBFDANBgkqhkiG9w0BAQ0FADBhMSUwIwYDV
 QQKDBx0b3BvbG9neS0wM19Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQLDA50b3BvbG9neS0wMy1DQT
 EfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMDAxMDMxMjE2MDBaFw0yMDA3MDE
 xMTE2MDBaMBoxGDAWBgoJkiaJk/IsZAEBDAh0ZXN0dXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
 gYkCgYEA0EB78HygzXJ6kzWFluIHJUZBZ++Z6ZfwO/jML8pjfixdCyWKFXB4CKGFkhMrA/kkBeDwR
 NxzaQY7oJZmaP3SxM6juuoBAFYdFIuKkN24jxK27h3noaQg4MuPizB7sNmc/qJdubxYoxI8s+mipJ
 0DJjW62F9D6abw1B+2IqTycaUCAwEAAaOBljCBkzAfBgNVHSMEGDAWgBTaJZQuRrk5R0n5dgsEOk7
 3pk/z1jBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9wa2kxLmV4YW1wbGUuY29t
 OjIwMDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFB
 QcDBDANBgkqhkiG9w0BAQ0FAAOCAQEAMSRg6lGYgwBXzcesohIApM3dQ5HBfW/OqaX2y1dpnfhcUo
 lKPobIk/H8fyO3ig6Er5Hpt6/l1CA8IpyQKVQBMGypQWM08tiKoRxMkRZrTmLIpCuC+g6FyX9egI8
 o0Hkku5bkrFFhrdOVVWG4g+8OLcKoBu4UtJY0Rb06pBlcpQ1poyL3R+mLpE+lf568HBrJrfrYa+GQ
 sDwhplZpjcVifrF0FLa5LRtNd9KwwCvaBk5NZfHqNAt05HPmTnCnddcCtYnnclUZ5ZOfbSTviypM8
 NhMlCYjdzeOQLfcQ/++EdMXniWLeNbS8nc/ymC16v1o/L7XoCtddZLQ4BlzWCCbVQ==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.13
dateOfCreate: 20200103071616Z
dateOfModify: 20200103071616Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: caadmin
cn: 20

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

2. Now Mark the certificate generated as "Superseded"

# pki -p 20080 -c SECret.123 -d  /opt/pki/certdb/ -n "PKI CA Administrator for Example.Org" ca-cert-revoke 0x14 --reason Superseded
Revoking certificate:
  Serial Number: 0x14
  Subject DN: UID=testuser
  Issuer DN: CN=CA Signing Certificate,OU=topology-03-CA,O=topology-03_Foobarmaster.org
  Status: VALID
  Not Valid Before: Fri Jan 03 07:16:00 EST 2020
  Not Valid After: Wed Jul 01 07:16:00 EDT 2020
Are you sure (Y/N)? Y
--------------------------
Revoked certificate "0x14"
--------------------------
  Serial Number: 0x14
  Subject DN: UID=testuser
  Issuer DN: CN=CA Signing Certificate,OU=topology-03-CA,O=topology-03_Foobarmaster.org
  Status: REVOKED
  Not Valid Before: Fri Jan 03 07:16:00 EST 2020
  Not Valid After: Wed Jul 01 07:16:00 EDT 2020
  Revoked On: Fri Jan 03 07:19:13 EST 2020
  Revoked By: caadmin


3. Check ldap status for certificate after revoked.


# ldapsearch -H ldap://10.0.97.202:3389 -x -D "CN=Directory Manager" -W -b "cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA" -s base -a always "(objectClass=*)" "*"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA> with scope baseObject
# filter: (objectClass=*)
# requesting: * 
#

# 20, certificateRepository, ca, topology-03-CA-CA
dn: cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA
objectClass: top
objectClass: certificateRecord
serialno: 0220
metaInfo: requestId:22
metaInfo: profileId:caUserCert
notBefore: 20200103071600Z
notAfter: 20200701071600Z
duration: 1115548400000
subjectName: UID=testuser
issuerName: CN=CA Signing Certificate,OU=topology-03-CA,O=topology-03_Foobarma
 ster.org
publicKeyData:: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQQHvwfKDNcnqTNYWW4gclRk
 Fn75npl/A7+MwvymN+LF0LJYoVcHgIoYWSEysD+SQF4PBE3HNpBjuglmZo/dLEzqO66gEAVh0Ui4q
 Q3biPErbuHeehpCDgy4+LMHuw2Zz+ol25vFijEjyz6aKknQMmNbrYX0PppvDUH7YipPJxpQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDCTCCAfGgAwIBAgIBFDANBgkqhkiG9w0BAQ0FADBhMSUwIwYDV
 QQKDBx0b3BvbG9neS0wM19Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQLDA50b3BvbG9neS0wMy1DQT
 EfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMDAxMDMxMjE2MDBaFw0yMDA3MDE
 xMTE2MDBaMBoxGDAWBgoJkiaJk/IsZAEBDAh0ZXN0dXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
 gYkCgYEA0EB78HygzXJ6kzWFluIHJUZBZ++Z6ZfwO/jML8pjfixdCyWKFXB4CKGFkhMrA/kkBeDwR
 NxzaQY7oJZmaP3SxM6juuoBAFYdFIuKkN24jxK27h3noaQg4MuPizB7sNmc/qJdubxYoxI8s+mipJ
 0DJjW62F9D6abw1B+2IqTycaUCAwEAAaOBljCBkzAfBgNVHSMEGDAWgBTaJZQuRrk5R0n5dgsEOk7
 3pk/z1jBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9wa2kxLmV4YW1wbGUuY29t
 OjIwMDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFB
 QcDBDANBgkqhkiG9w0BAQ0FAAOCAQEAMSRg6lGYgwBXzcesohIApM3dQ5HBfW/OqaX2y1dpnfhcUo
 lKPobIk/H8fyO3ig6Er5Hpt6/l1CA8IpyQKVQBMGypQWM08tiKoRxMkRZrTmLIpCuC+g6FyX9egI8
 o0Hkku5bkrFFhrdOVVWG4g+8OLcKoBu4UtJY0Rb06pBlcpQ1poyL3R+mLpE+lf568HBrJrfrYa+GQ
 sDwhplZpjcVifrF0FLa5LRtNd9KwwCvaBk5NZfHqNAt05HPmTnCnddcCtYnnclUZ5ZOfbSTviypM8
 NhMlCYjdzeOQLfcQ/++EdMXniWLeNbS8nc/ymC16v1o/L7XoCtddZLQ4BlzWCCbVQ==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.13
dateOfCreate: 20200103071616Z
dateOfModify: 20200103071913Z
certStatus: REVOKED
autoRenew: ENABLED
issuedBy: caadmin
cn: 20
revInfo: 20200103071913Z;CRLReasonExtension=4
revokedBy: caadmin
revokedOn: 20200103071913Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



4. Now use sslget to change the revocation reason. 

sslget -d /opt/pki/certdb/ -n "PKI CA Administrator for Example.Org" -p SECret.123 -e  "op=revoke&revocationReason=1&totalRecordCount=1&revokeAll=(certRecordId=0x13)" -r /ca/ee/subsystem/ca/doRevoke 10.0.97.202:20443 -v -p SECret.123

5. Check ldap database for same cert.


# ldapsearch -H ldap://10.0.97.202:3389 -x -D "CN=Directory Manager" -W -b "cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA" -s base -a always "(objectClass=*)" "*"Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA> with scope baseObject
# filter: (objectClass=*)
# requesting: * 
#

# 20, certificateRepository, ca, topology-03-CA-CA
dn: cn=20,ou=certificateRepository,ou=ca,o=topology-03-CA-CA
objectClass: top
objectClass: certificateRecord
serialno: 0220
metaInfo: requestId:22
metaInfo: profileId:caUserCert
notBefore: 20200103071600Z
notAfter: 20200701071600Z
duration: 1115548400000
subjectName: UID=testuser
issuerName: CN=CA Signing Certificate,OU=topology-03-CA,O=topology-03_Foobarma
 ster.org
publicKeyData:: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQQHvwfKDNcnqTNYWW4gclRk
 Fn75npl/A7+MwvymN+LF0LJYoVcHgIoYWSEysD+SQF4PBE3HNpBjuglmZo/dLEzqO66gEAVh0Ui4q
 Q3biPErbuHeehpCDgy4+LMHuw2Zz+ol25vFijEjyz6aKknQMmNbrYX0PppvDUH7YipPJxpQIDAQAB
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: MIIDCTCCAfGgAwIBAgIBFDANBgkqhkiG9w0BAQ0FADBhMSUwIwYDV
 QQKDBx0b3BvbG9neS0wM19Gb29iYXJtYXN0ZXIub3JnMRcwFQYDVQQLDA50b3BvbG9neS0wMy1DQT
 EfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMDAxMDMxMjE2MDBaFw0yMDA3MDE
 xMTE2MDBaMBoxGDAWBgoJkiaJk/IsZAEBDAh0ZXN0dXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
 gYkCgYEA0EB78HygzXJ6kzWFluIHJUZBZ++Z6ZfwO/jML8pjfixdCyWKFXB4CKGFkhMrA/kkBeDwR
 NxzaQY7oJZmaP3SxM6juuoBAFYdFIuKkN24jxK27h3noaQg4MuPizB7sNmc/qJdubxYoxI8s+mipJ
 0DJjW62F9D6abw1B+2IqTycaUCAwEAAaOBljCBkzAfBgNVHSMEGDAWgBTaJZQuRrk5R0n5dgsEOk7
 3pk/z1jBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9wa2kxLmV4YW1wbGUuY29t
 OjIwMDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFB
 QcDBDANBgkqhkiG9w0BAQ0FAAOCAQEAMSRg6lGYgwBXzcesohIApM3dQ5HBfW/OqaX2y1dpnfhcUo
 lKPobIk/H8fyO3ig6Er5Hpt6/l1CA8IpyQKVQBMGypQWM08tiKoRxMkRZrTmLIpCuC+g6FyX9egI8
 o0Hkku5bkrFFhrdOVVWG4g+8OLcKoBu4UtJY0Rb06pBlcpQ1poyL3R+mLpE+lf568HBrJrfrYa+GQ
 sDwhplZpjcVifrF0FLa5LRtNd9KwwCvaBk5NZfHqNAt05HPmTnCnddcCtYnnclUZ5ZOfbSTviypM8
 NhMlCYjdzeOQLfcQ/++EdMXniWLeNbS8nc/ymC16v1o/L7XoCtddZLQ4BlzWCCbVQ==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.13
dateOfCreate: 20200103071616Z
dateOfModify: 20200103072024Z
certStatus: REVOKED
autoRenew: ENABLED
issuedBy: caadmin
cn: 20
revInfo: 20200103072024Z;CRLReasonExtension=1
revokedBy: caadmin
revokedOn: 20200103072024Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Logs:

[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CMSServlet: auditSubjectID auditContext {locale=en_US, user=com.netscape.cmscore.usrgrp.User@76702d0f, userid=caadmin, AuthToken=com.netscape.certsrv.authentication.AuthToken@5b58bd82, ipAddress=10.0.97.202, authManagerId=certUserDBAuthMgr}
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CMSServlet auditSubjectID: subjectID: caadmin
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: DoRevokeTPS.process:begins
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: DoRevokeTPS.process revokeAll(certRecordId=0x14)
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: DoRevokeTPS.process:reason code = 1
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: In LdapBoundConnFactory::getConn()
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: masterConn is connected: true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: conn is connected true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: mNumConns now 5
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: searchCertificateswith time limit filter (certRecordId=0x14)
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: returnConn: mNumConns now 6
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: DoRevokeTPS.process:Certificate 0x14 has been revoked, but reason is changed
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: DoRevokeTPS.process:Certificate 0x14 is going to be revoked.
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: Repository: in getNextSerialNumber. 
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: Repository: checkRange  mLastSerialNo=24
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: Repository: getNextSerialNumber: returning 24
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: SignedAuditLogger: event CERT_STATUS_CHANGE_REQUEST
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: in CAPolicy.apply(requestType=revocation,requestId=24,requestStatus=begin)
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: mPolicies = class org.dogtagpki.legacy.core.policy.GenericPolicyProcessor
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: GenericPolicyProcessor: apply begins
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: GenericPolicyProcessor: apply not ProfileRequest. op=revocation
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: GenericPolicyProcessor: apply: rule count 0
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CAService.revokeCert: revokeCert begins: serial:20
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CAService.revokeCert: revocaton request revocation reason: Key_Compromise
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: In LdapBoundConnFactory::getConn()
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: masterConn is connected: true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: conn is connected true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: mNumConns now 5
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: returnConn: mNumConns now 6
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CAService.revokeCert: already revoked cert with existing revocation reason:Superseded
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CertRecord.isCertOnHold: checking for cert serial: 20
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CertRecord.isCertOnHold:for 20 returning false
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CAService.revokeCert: about to call markAsRevoked
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: In LdapBoundConnFactory::getConn()
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: masterConn is connected: true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: conn is connected true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: mNumConns now 5
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: returnConn: mNumConns now 6
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CAService.revokeCert: Already-revoked cert marked revoked
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CAService.revokeCert: cert now revoked
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: In LdapBoundConnFactory::getConn()
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: masterConn is connected: true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: conn is connected true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: mNumConns now 5
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: returnConn: mNumConns now 6
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: In LdapBoundConnFactory::getConn()
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: masterConn is connected: true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: conn is connected true
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: getConn: mNumConns now 5
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: returnConn: mNumConns now 6
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: ARequestNotifier  notify mIsPublishingQueueEnabled=false mMaxThreads=1
[03/Jan/2020:07:20:24][Thread-33]: RunListeners:: noQueue  SingleRequest
[03/Jan/2020:07:20:24][Thread-33]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateIssuedListener
[03/Jan/2020:07:20:24][Thread-33]: CertificateIssuedListener: accept 24
[03/Jan/2020:07:20:24][Thread-33]: RunListeners: IRequestListener = com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[03/Jan/2020:07:20:24][Thread-33]: Revocation listener called.
[03/Jan/2020:07:20:24][Thread-33]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateRevokedListener
[03/Jan/2020:07:20:24][Thread-33]: RunListeners:  noQueue  SingleRequest
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: SignedAuditLogger: event CERT_STATUS_CHANGE_REQUEST_PROCESSED
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: CMSServlet: curDate=Fri Jan 03 07:20:24 EST 2020 id=caDoRevoke1 time=27
[03/Jan/2020:07:20:24][http-bio-20443-exec-15]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED


Note : Currently there is no cli option to change revocation reason ca-cert-revoke cli.

Comment 8 errata-xmlrpc 2020-03-31 19:53:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1078