Bug 1710632 - certmonger should download full CA chain from IPA
Summary: certmonger should download full CA chain from IPA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: certmonger
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Rob Crittenden
QA Contact: ipa-qe
Depends On:
TreeView+ depends on / blocked
Reported: 2019-05-15 22:07 UTC by Rob Crittenden
Modified: 2020-01-20 09:16 UTC (History)
8 users (show)

Fixed In Version: certmonger-0.79.7-4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Rob Crittenden 2019-05-15 22:07:16 UTC
Description of problem:
certmonger can download the root certificate from an IPA master. It currently uses cn=cacert,cn=ipa,cn=etc, $SUFFIX as the source of that but it should use cn=certificates,cn=ipa,cn=etc,$SUFFIX instead to pull in all know CA certificates. This will include the entire chain that needs to be trusted by IPA.

This is for use with the -F option.

Note that IPA provides a mechanism to download these certificates system-wide, ipa-certupdate.

Version-Release number of selected component (if applicable):

Comment 3 Rob Crittenden 2019-10-16 20:22:34 UTC
master: b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864

Comment 8 Mohammad Rizwan 2020-01-20 09:16:28 UTC
Test passed in CI pipeline. Hence marking the bug as verified.

Note You need to log in before you can comment on or make changes to this bug.