Export a certificate that has no private key along with other cert/keys in the nssdb using PKCS12Export tool and import to aother nss db using pk12util shows certificate nickname as NULL.
Steps to Reproduce:
I have a caocspsigning cert imported from CA to KRA's subsystem db with a trust "C,,". Exported the certs & keys from KRA's nss db using PKCS12Export and imported using pk12util to a fresh nss db. The "caocspsigning" cert shows up as NULL. Also, the trust bits for "PKI ROOTCA Signing Cert - redhat" and "kra3auditsigningcert" are not the same after the import. # certutil -L -d /var/lib/pki/rootkra/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PKI ROOTCA Signing Cert - redhat CT,c, kra3transportcert u,u,u Server-Cert cert-pki-RootCA u,u,u kra3auditsigningcert u,u,Pu kra3storagecert u,u,u kra3subsystemcert u,u,u caocspsigningcert C,, # PKCS12Export -d /var/lib/pki/rootkra/alias -o KRA_SUBSYSTEM_CERTS -p ./password -w ./password # pk12util -d /root/temp12/ -i ./KRA_SUBSYSTEM_CERTS Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL # certutil -L -d /root/temp12 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kra3transportcert u,u,u Server-Cert cert-pki-RootCA u,u,u kra3auditsigningcert u,u,u PKI ROOTCA Signing Cert - redhat ,, kra3storagecert u,u,u kra3subsystemcert u,u,u (NULL) ,,
Per CS/DS Meeting of 07/27/2015: 10.3 (low)
Per Bug Triage of 05/05/2016: 10.4
NOTE: Might be a NSS issue (pk12util bug?).
Metadata Update from @aakkiang: - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue close_status updated to: None - Issue priority set to: major (was: minor) - Issue set to the milestone: 10.5 (was: UNTRIAGED)
[20171025] - Offline Triage ==> 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Per 10.5.x/10.6 Triage: 10.6
mharmsen: as this issue is quite old, it needs to be re-verified with more recent bits to see if it is still a problem
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2072
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.