Currently the CertUtils.verifySystemCerts() checks the validity for all system certificates before returning the result without identifying which certificate failed the verification (except in the debug log):
StringTokenizer tokenizer = new StringTokenizer(certlist, ","); while (tokenizer.hasMoreTokens()) { String tag = tokenizer.nextToken(); tag = tag.trim(); CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag); verifyResult = verifySystemCertByTag(tag); if (verifyResult == false) r = false; //r captures the value for final return }
Once a certificate is found to be invalid, checking other certificates is actually redundant. The code is not very informative since it only returns a boolean value, so there's no way to identify programmatically which certificate is invalid. It's also hard to troubleshoot because the invalid certificate is only reported briefly in the debug log and it can be hidden among various other debug logs.
Ideally once a certificate is found to be invalid the code should return immediately and identify the certificate, possibly using an exception.
Per Dogtag 10.2.X meeting of 01/14/2015: Milestone 10.2 Backlog
Per 10.2.3 TRIAGE meeting of 02/26/2015: 10.3
NOTE: Moved from 10.2 Backlog since it was not a documentation/man page issue.
Fixed in ticket #850.
Metadata Update from @edewata: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1784
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.