Description of problem: I have a custom CMC profile that will take the requested validity period out of the embedded CRMF request and use that for the validity period on the certificate. The user-supplied validity is being ignored and the issued certificate has a notBefore and notAfter time that is exactly the same and is the current time. How reproducible: Always Steps to Reproduce: 1. first attachment to the bug is the full contents of my custom profile, it represents the contents of /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg. 2. Go to end-entity interface and select the profile uses caFullCMCUserCert.cfg, should be the second one labeled "Signed CMC-Authenticated User Certificate Enrollment", mouse over it and look at the end of the url for .../profileSelect?profileId=caFullCMCUserCert 3. paste in a CMC (attachment 300295 [details]) request with an embedded CRMF containing validity information and submit it. 4. Inspect the resulting certificate's notBefore and notAfter times Actual results: notBefore = notAfter = current time Expected results: notBefore and notAfter = the values from the CRMF request (CRMF contains UTCTime 03/04/2008 18:06:54 GMT and UTCTime 04/04/2008 18:06:54 GMT) Additional info: In the debug log for the CA there is the following exception. I'm not sure where else to look for further info: [08/Apr/2008:13:26:54][http-9443-Processor25]: UserValidityDefault: populate start [08/Apr/2008:13:26:54][http-9443-Processor25]: UserValidityDefault: populate java.security.cert.CertificateException: CertificateValidity class type invalid. [08/Apr/2008:13:26:54][http-9443-Processor25]: UserValidityDefault: populate end Further down in the log when it shows the TBS cert request it shows the notBefore and notAfter are the same time: [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: validate start [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: millisDiff=0 notAfter=1207675614000 notBefore=1207675614000 [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: long_days: 0 [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: days: 0 [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: validate end and Validity: [From: Tue Apr 08 13:26:54 EDT 2008, To: Tue Apr 08 13:26:54 EDT 2008] ------------- If you go back to the profiles page and select the first "Signed CMC-Authenticated User Certificate Enrollment" (link ends with ..profileSelect?profileId=caCMCUserCert) and paste in the same request, the cert will be issued with 180 day validity because that profile has a hardcoded 180 day validity period: policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl policyset.cmcUserCertSet.2.constraint.name=Validity Constraint policyset.cmcUserCertSet.2.constraint.params.range=365
Created attachment 301665 [details] contents of my custom profile
Created attachment 301684 [details] base64 crmf request and asn1dump of the request
Upstream ticket: https://fedorahosted.org/pki/ticket/453