Bug 440079 - Importing agent cert causes Warning in Firefox
Importing agent cert causes Warning in Firefox
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
All Linux
high Severity medium
: 1.0
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-04-01 12:53 EDT by Bob Lord
Modified: 2015-01-05 20:19 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:28:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Warning message screenshot (13.61 KB, image/png)
2008-04-01 12:53 EDT, Bob Lord
no flags Details
Example CA trust prompt (31.17 KB, image/png)
2008-04-11 21:37 EDT, Jack Magne
no flags Details
Diff for changed files. (4.98 KB, text/plain)
2008-05-05 14:52 EDT, Jack Magne
no flags Details
New wizard velocity template. (2.05 KB, text/plain)
2008-05-05 14:56 EDT, Jack Magne
no flags Details
New file to implement server side of fix. (4.30 KB, text/plain)
2008-05-05 16:23 EDT, Jack Magne
no flags Details

  None (edit)
Description Bob Lord 2008-04-01 12:53:48 EDT
Description of problem:
When creating a new Root instance, there is a part of the wizard where the
system created an Agent cert/key, and imports it into the browser.  When that
happens, the browser displays a warning that the cert will not be imported

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install a Root instance
2. Go through the wizard, create an Agent cert/key
Actual results:
The browser displays a warning message

Expected results:
No warning message.

Additional info:
I'm getting this warning on Firefox 3.  I don't know what happens on other browsers.
Comment 1 Bob Lord 2008-04-01 12:53:48 EDT
Created attachment 299924 [details]
Warning message screenshot
Comment 2 Jack Magne 2008-04-03 16:52:43 EDT
I tried this with Firefox and did NOT see this error message. I'll try
another version or two, but this leads us in the direction that we have a
Firefox 3 related issue.
Comment 3 Bob Lord 2008-04-03 17:42:46 EDT
Yes, it's an issue that is magnified with the new security mechanisms with FF3.

Comment 4 Jack Magne 2008-04-07 13:00:40 EDT
After further testing found the following:

1. It appears that this problem can happen when attempting to import simple user

2. I took a look into the PSM code and observed that this error is thrown when
the CA's can not be verified.

3. I went into the PSM UI and for the CS's server cert, manually trusted the CA,
and the message was suppressed.

Will investigate further on how to fix this.

Comment 5 Chandrasekar Kannan 2008-04-08 09:10:29 EDT
We have noticed this with other versions of firefox too. Like Firefox 2.0.
I don't believe this is specific to ff3.
Comment 6 Jack Magne 2008-04-10 16:30:37 EDT
The CA already has a servlet called getCAChain that will import the CA's cert
chain into the user's db, which should solve this problem. The user will be
prompted with a dialog asking the user to trust the chain for various functions.
Once this is done early in the CA's config wizard, the importation of the admin
cert should not see the warning above.

Comment 7 Jack Magne 2008-04-10 16:32:09 EDT
Currently I"m learning how the velocity based wizard code operates. The next
step will be to actually try to call "getCAChain" from the wizard and get it
working. From then, I must decide where to best place the change, in an already
existing wizard panel or in a brand new panel created just for this purpose.
Comment 8 Jack Magne 2008-04-11 21:37:37 EDT
Created attachment 302185 [details]
Example CA trust prompt
Comment 9 Jack Magne 2008-04-11 21:39:29 EDT
The resolution to this bug will also address another bug. #440348. Once the CA's
cert chain is trusted. Firefox 3 will no longer need to restrict access to the
Comment 11 Jack Magne 2008-05-05 14:52:19 EDT
Created attachment 304546 [details]
Diff for changed files.

The changes to existing files for this bug listed here.
Comment 12 Jack Magne 2008-05-05 14:56:43 EDT
Created attachment 304547 [details]
New wizard velocity template.

This is the wizard velocity template file implementing the importation of the
CA cert chain functionality.

The path of this file is:

Comment 13 Jack Magne 2008-05-05 16:23:39 EDT
Created attachment 304554 [details]
New file to implement server side of fix.

This file implements the importation of the CA's cert chain for the server

file path:

Comment 14 Matthew Harmsen 2008-05-07 14:17:35 EDT
+ mharmsen attachment (id=304546)
+ mharmsen attachment (id=304547)
+ mharmsen attachment (id=304554)

This looks good.  Per discussions, please create a new bug marked for CS8.1
which would apply these fixes to the other 5 subsystems.

NOTE:  This bug is ONLY necessary for the case when a different browser than the
       one used to configure the CA is used.
Comment 15 Jack Magne 2008-05-07 20:15:08 EDT
cd pki/linux/common-ui/shared/admin/console/config
vn commit importcachainpanel.vm
Adding         importcachainpanel.vm
Transmitting file data .
Committed revision 36.

cd pki/redhat/common-ui/shared/admin/console/config
svn add importcachainpanel.vm
A         importcachainpanel.vm
[jmagne@dhcp-128 config]$ svn commit importcachainpanel.vm
Adding         importcachainpanel.vm
Transmitting file data .
Committed revision 15202.

cd pki/linux/common
svn commit pki-common.spec
Sending        pki-common.spec
Transmitting file data .
Committed revision 39.

cd pki/linux/ca
svn commit pki-ca.spec
Sending        pki-ca.spec
Transmitting file data .
Committed revision 37.

cd pki/linux/common-ui
svn commit pki-common-ui.spec
Sending        pki-common-ui.spec
Transmitting file data .
Committed revision 38.

cd pki/base/ca/shared/webapps/ca/WEB-INF
svn commit web.xml
Sending        web.xml
Transmitting file data .
Committed revision 40.

cd  pki/base/common/src/com/netscape/cms/servlet/csadmin
svn add ImportCAChainPanel.java
A         ImportCAChainPanel.java

[jmagne@dhcp-128 csadmin]$ svn commit ImportCAChainPanel.java
Adding         ImportCAChainPanel.java
Transmitting file data .
Committed revision 41.

Comment 16 Kashyap Chamarthy 2009-06-04 08:58:06 EDT
Verified(with build 1-June-09).with Firefox 3.0.10. No trust error by firefox is thrown.

Note You need to log in before you can comment on or make changes to this bug.