Learn more about these different git repos.
Other Git URLs
When generating CSRs, certmonger does not necessarily encode subject the same way as in the original certificate. When renewing a CA certificate stored in a NSS database, it causes the certificate chain to break, as NSS expects the subject not to change on DER level.
Patch fixing the issue 0001-Store-DER-versions-of-subject-issuer-and-template-su.patch
Do you have a sample certificate that led to this problem? I'm increasingly curious about what form the subject name is taking that the (admittedly possibly-lossy) conversion to a string and then re-parsing of that string produces a different result.
Sample IPA CA certificate ipa.crt
It happens for CA certificates created by Dogtag on IPA install. They use UTF8String for attribute values in the subject, which are converted to PrintableString when you decode and encode them again.
Ah, that makes sense. I was wondering about attribute-to-OID conversions, but I hadn't thought about the tagging of string values. Thanks for clarifying!
Metadata Update from @nalin: - Issue assigned to nalin - Issue set to the milestone: 0.74
Login to comment on this ticket.