Description of problem: pki pkcs12 cli import and export issues.
Version-Release number of selected component (if applicable): 10.5.1-11.el7
How reproducible: Always
Steps to Reproduce: 1. pki pkcs12-export with --no-chain is exporting chain.
root@pki1 # pki -d /opt/pki/certdb/ -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --no-chain --------------- Export complete --------------- root@pki1 # pki pkcs12-cert-find --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --------------- 2 entries found --------------- Certificate ID: ad448d4a22ef1ea7ba074701a116bda6d34ef79f Serial Number: 0x6 Nickname: PKI CA Administrator for Example.Org Subject DN: CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: bb7f1fff70ac0648925bc1c12caf013e6f8b100a Serial Number: 0x1 Nickname: CA Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org Trust Flags: CT,C,C Has Key: false
Here CA certificate is not expected.
/tmp/all_certs.p12
root@pki1 # certutil -L -d /tmp/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PKI CA Administrator for Example.Org u,u,u CA
root@pki1 # pki -d /opt/pki/certdb -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --no-key "PKI CA Administrator for Example.Org" --------------- Export complete --------------- root@pki1 # pki -d /tmp/nssdb -c Secret123 client-init --force ------------------ Client initialized ------------------ root@pki1 # pki -d /tmp/nssdb -c Secret123 client-cert-import --pkcs12 /tmp/all_cert.p12 --pkcs12-password Secret123 ---------------------------------------- Imported certificates from PKCS #12 file ---------------------------------------- root@pki1 # certutil -L -d /tmp/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PKI CA Administrator for Example.Org u,u,u CA ,,
It is exporting keys in p12 file.
pki -d /opt/pki/certdb -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 "DJFLSDJFLSDKJFLDSKJF" --------------- Export complete ---------------
Actual results: 1. It exports CA certificate with --no-chain option. 2. It does not import the trust flags as per the pkcs12 file. 3. It exports private key with --no-key option. 4. It shows export complete message for invalid certificate nick.
Expected results: 1. It should not export CA certificate with --no-chain opiton. 2. It should import trust flags as per the pkcs12 file. 3. It should not export private key with --no-key option. 4. It should throw an error for invalid certificate nick.
Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1572057
Metadata Update from @cipherboy: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1572057 - Custom field type adjusted to None - Custom field version adjusted to None
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3248
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.