Description of problem: dogtag uses a different profile for issuing the audit certificate than it uses for renewing it. The issuing profile is for 2 years, the renewal for 6 months. They should both be for 2 years. Version-Release number of selected component (if applicable): pki-ca-9.0.20-1
Upstream ticket: https://fedorahosted.org/pki/ticket/333
Worked with Andrew on this to identify the correct profile to change: * Installed and Configured Dogtag 10 CA instance * Launched CA Agent page and noted that the CA Audit Signing certificate was serial #0x5 entitled "CN=CA Audit Signing Certificate,O=usersys.redhat.com Security Domain" * Launched CA EE page and selected the "Enrollment/Renewal" Tab * Selected the profile entitled "Renewal: Renew certificate to be manually approved by agents" * Placed a "5" in the "Serial Number of Certificate to Renew" section and pressed the Submit button * Your request ID is 8 * Back on the CA Agent page, selected "List Requests", selected "Show renewal request" for Request type, and pressed the Find button * Selected request #8 * Under "Certificate Profile Information" noted the following: * Certificate Profile Id: "caSignedLogCert" * Under "Policy Information" noted the following: * #2 default values are Range=180 in days * #2 constraint rejects the validity that is not between 365 days
Tested out the following change: * Shutdown the CA instance * systemctl stop pki-tomcatd * Edited /var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg * 23c23 < policyset.caLogSigningSet.2.constraint.params.range=365 --- > policyset.caLogSigningSet.2.constraint.params.range=720 28c28 < policyset.caLogSigningSet.2.default.params.range=180 --- > policyset.caLogSigningSet.2.default.params.range=720 * Restarted the CA instance * systemctl start pki-tomcatd * Launched CA EE page and selected the "Enrollment/Renewal" Tab * Selected the profile entitled "Renewal: Renew certificate to be manually approved by agents" * Placed a "5" in the "Serial Number of Certificate to Renew" section and pressed the Submit button * Your request ID is 9 * Back on the CA Agent page, selected "List Requests", selected "Show renewal request" for Request type, and pressed the Find button * Selected request #9 * Under "Certificate Profile Information" noted the following: * Certificate Profile Id: "caSignedLogCert" * Under "Policy Information" noted the following: * #2 default values are Range=720 in days * #2 constraint rejects the validity that is not between 720 days NOTE: The reason that a new renewal request must be submitted is because the original renewal request calculates some values based upon the original "default" values (e. g. - the "Not Before" and "Not After" values in "Policy Information #2") and while a simple reload of this renewal request reflects both changes from 180/365 --> 720/720, it does not recalculate the values in "Not Before" and "Not After".
Resolved in Dogtag 9 on 'DOGTAG_9_BRANCH': commit d9c9d8e45f4d8c268576d35dddb965f156c5f3d7 Author: Matthew Harmsen <mharmsen> Date: Thu Sep 20 10:38:25 2012 -0700 Audit Cert Renewal * TRAC Ticket #333 - Increase audit cert renewal range to 2 years * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years Resolved in Dogtag 10 on 'master': commit f5b8ea5b087f642a0208c228dce6f700cd7d91c1 Author: Matthew Harmsen <mharmsen> Date: Thu Sep 20 10:23:47 2012 -0700 Audit Cert Renewal * TRAC Ticket #333 - Increase audit cert renewal range to 2 years * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.