Description of problem: User certificate gets renewed when cert has Not After date 31 days from today. (caUserCert.cfg for renewal has graceBefore=30 and graceAfter=30). Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Set CA profile caDirUserCert.cfg to have validity period 31 days. (policyset.userCertSet.2.default.params.range=31), restart CA. 2. From the CA enrollment page, enroll for profile "Directory-Authenticated User Dual-Use Certificate Enrollment" with a valid uid and password, a certificate is generated valid for 31 days. 3. Set CA profile caDirUserCert.cfg to have default validity period 180 days. (policyset.userCertSet.2.default.params.range=180), restart CA. 4. From the CA enrollment page, enroll for profile "Directory-Authenticated User Certificate Self-Renew profile", provide user id, password and serial number of the cert. Actual results: Certificate gets renewed. Expected results: Error message "Request Rejected - Outside of Renewal Grace Period: 30 days before and 30 days after original cert expiration date". Additional info: Same problem is found when renewal is done in other 2 ways (SSLClient and Manual agent approved).
*** Bug 481373 has been marked as a duplicate of this bug. ***
Please supply your test profile. To test grace period, you must have the following parameters in your profile, and have enabled in the policyset list: policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 policyset.userCertSet.10.default.class_id=noDefaultImpl policyset.userCertSet.10.default.name=No Default Since I do not see these in your bug report description, I am requesting you to attach your profile so I can take a look. Thanks.
Yes, the renewal grace period has the default values as mentioned in the Description of problem above. policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 policyset.userCertSet.10.default.class_id=noDefaultImpl policyset.userCertSet.10.default.name=No Default
Created attachment 347253 [details] calculate the time diff in terms of miliseconds instead of days
Created attachment 347254 [details] spec file diff
attachment (id=347253) attachment (id=347254) +mharmsen
[cfu@jaw common]$ pwd /home/cfu/dogtag/src0/pki/base/common [cfu@jaw common]$ svn commit src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java Sending src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java Transmitting file data . Committed revision 575. [cfu@jaw common]$ pwd /home/cfu/dogtag/src0/pki/dogtag/common [cfu@jaw common]$ svn commit pki-common.spec Sending pki-common.spec Transmitting file data . Committed revision 576.
the fix actually is no good.
Created attachment 347298 [details] had to resolve to BigInteger
Attachment (id=347298) +jmange
[cfu@jaw constraint]$ svn commit RenewGracePeriodConstraint.java Sending RenewGracePeriodConstraint.java Transmitting file data . Committed revision 581.
Verified: Sorry, your request has been rejected. The reason is "Request Rejected - Outside of Renewal Grace Period: 30 days before and 30 days after original cert expiration date"