https://bugzilla.redhat.com/show_bug.cgi?id=441544 (Dogtag Certificate System)
Description of problem: I have a custom CMC profile that will take the requested validity period out of the embedded CRMF request and use that for the validity period on the certificate. The user-supplied validity is being ignored and the issued certificate has a notBefore and notAfter time that is exactly the same and is the current time. How reproducible: Always Steps to Reproduce: 1. first attachment to the bug is the full contents of my custom profile, it represents the contents of /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg. 2. Go to end-entity interface and select the profile uses caFullCMCUserCert.cfg, should be the second one labeled "Signed CMC-Authenticated User Certificate Enrollment", mouse over it and look at the end of the url for .../profileSelect?profileId=caFullCMCUserCert 3. paste in a CMC (attachment 300295) request with an embedded CRMF containing validity information and submit it. 4. Inspect the resulting certificate's notBefore and notAfter times Actual results: notBefore = notAfter = current time Expected results: notBefore and notAfter = the values from the CRMF request (CRMF contains UTCTime 03/04/2008 18:06:54 GMT and UTCTime 04/04/2008 18:06:54 GMT) Additional info: In the debug log for the CA there is the following exception. I'm not sure where else to look for further info: [08/Apr/2008:13:26:54][http-9443-Processor25]: UserValidityDefault: populate start [08/Apr/2008:13:26:54][http-9443-Processor25]: UserValidityDefault: populate java.security.cert.CertificateException: CertificateValidity class type invalid. [08/Apr/2008:13:26:54][http-9443-Processor25]: UserValidityDefault: populate end Further down in the log when it shows the TBS cert request it shows the notBefore and notAfter are the same time: [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: validate start [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: millisDiff=0 notAfter=1207675614000 notBefore=1207675614000 [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: long_days: 0 [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: days: 0 [08/Apr/2008:13:26:54][http-9443-Processor25]: ValidityConstraint: validate end and Validity: [From: Tue Apr 08 13:26:54 EDT 2008, To: Tue Apr 08 13:26:54 EDT 2008] ------------- If you go back to the profiles page and select the first "Signed CMC-Authenticated User Certificate Enrollment" (link ends with ..profileSelect?profileId=caCMCUserCert) and paste in the same request, the cert will be issued with 180 day validity because that profile has a hardcoded 180 day validity period: policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl policyset.cmcUserCertSet.2.constraint.name=Validity Constraint policyset.cmcUserCertSet.2.constraint.params.range=365
Metadata Update from @nkinder: - Issue assigned to kaskahn - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1024
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.