The PKCS12Export is used in migration scenario to export all certificates from PKI 9 master to PKI 10 replica. Currently the PKCS12Export on PKI 9 does not store the nicknames of the CA certificates (including root CA or 3rd-party CA) in the PKCS #12 output file.
See base/java-tools/src/com/netscape/cmstools/PKCS12Export.java:
byte[] localKeyId = addCertBag(certs[i], null, safeContents);
When the PKCS #12 file is imported into PKI 10 replica the CA certificates will be assigned new nicknames which might be different from the original nicknames on the master.
Ideally the certificate nicknames should be exported so the nicknames will be consistent on the master and replica, but so far there doesn't seem to be a problem since PKI doesn't access the external CA certificates directly. However, if other tools (e.g. certmonger) are monitoring the certificates by their nicknames there might be a problem if the nicknames are not consistent after cloning.
Seems to be no longer an issue.
Metadata Update from @edewata: - Issue set to the milestone: 9.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2392
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.