Description of problem: When creating a new Root instance, there is a part of the wizard where the system created an Agent cert/key, and imports it into the browser. When that happens, the browser displays a warning that the cert will not be imported Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install a Root instance 2. Go through the wizard, create an Agent cert/key 3. Actual results: The browser displays a warning message Expected results: No warning message. Additional info: I'm getting this warning on Firefox 3. I don't know what happens on other browsers.
Created attachment 299924 [details] Warning message screenshot
I tried this with Firefox 2.0.0.8 and did NOT see this error message. I'll try another version or two, but this leads us in the direction that we have a Firefox 3 related issue.
Yes, it's an issue that is magnified with the new security mechanisms with FF3.
After further testing found the following: 1. It appears that this problem can happen when attempting to import simple user certificates. 2. I took a look into the PSM code and observed that this error is thrown when the CA's can not be verified. 3. I went into the PSM UI and for the CS's server cert, manually trusted the CA, and the message was suppressed. Will investigate further on how to fix this.
We have noticed this with other versions of firefox too. Like Firefox 2.0. I don't believe this is specific to ff3.
The CA already has a servlet called getCAChain that will import the CA's cert chain into the user's db, which should solve this problem. The user will be prompted with a dialog asking the user to trust the chain for various functions. Once this is done early in the CA's config wizard, the importation of the admin cert should not see the warning above.
Currently I"m learning how the velocity based wizard code operates. The next step will be to actually try to call "getCAChain" from the wizard and get it working. From then, I must decide where to best place the change, in an already existing wizard panel or in a brand new panel created just for this purpose.
Created attachment 302185 [details] Example CA trust prompt
The resolution to this bug will also address another bug. #440348. Once the CA's cert chain is trusted. Firefox 3 will no longer need to restrict access to the server.
Created attachment 304546 [details] Diff for changed files. The changes to existing files for this bug listed here.
Created attachment 304547 [details] New wizard velocity template. This is the wizard velocity template file implementing the importation of the CA cert chain functionality. The path of this file is: pki/linux/common-ui/shared/admin/console/config/importcachainpanel.vm
Created attachment 304554 [details] New file to implement server side of fix. This file implements the importation of the CA's cert chain for the server side. file path: /pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
+ mharmsen attachment (id=304546) + mharmsen attachment (id=304547) + mharmsen attachment (id=304554) This looks good. Per discussions, please create a new bug marked for CS8.1 which would apply these fixes to the other 5 subsystems. NOTE: This bug is ONLY necessary for the case when a different browser than the one used to configure the CA is used.
cd pki/linux/common-ui/shared/admin/console/config vn commit importcachainpanel.vm Adding importcachainpanel.vm Transmitting file data . Committed revision 36. cd pki/redhat/common-ui/shared/admin/console/config svn add importcachainpanel.vm A importcachainpanel.vm [jmagne@dhcp-128 config]$ svn commit importcachainpanel.vm Adding importcachainpanel.vm Transmitting file data . Committed revision 15202. cd pki/linux/common svn commit pki-common.spec Sending pki-common.spec Transmitting file data . Committed revision 39. cd pki/linux/ca svn commit pki-ca.spec Sending pki-ca.spec Transmitting file data . Committed revision 37. cd pki/linux/common-ui svn commit pki-common-ui.spec Sending pki-common-ui.spec Transmitting file data . Committed revision 38. cd pki/base/ca/shared/webapps/ca/WEB-INF svn commit web.xml Sending web.xml Transmitting file data . Committed revision 40. cd pki/base/common/src/com/netscape/cms/servlet/csadmin svn add ImportCAChainPanel.java A ImportCAChainPanel.java [jmagne@dhcp-128 csadmin]$ svn commit ImportCAChainPanel.java Adding ImportCAChainPanel.java Transmitting file data . Committed revision 41.
Verified(with build 1-June-09).with Firefox 3.0.10. No trust error by firefox is thrown.