freeipa

Clone
Source Code
GIT

64d187e NSSDatabase: fix get_trust_chain

1 file Authored by frenaud 4 years ago, Committed by rcritten 4 years ago,
raw patch tree parent
1 file changed. 3 lines added. 1 lines removed.
ipapython/certdb.py
file modified
+3 -1 
    NSSDatabase: fix get_trust_chain
    
    In the get_trust_chain method, use certutil -O with the option
    --simple-self-signed to make sure that self-signed certs properly
    get processed.
    Note: this option has been introduced in nss 3.38 and our spec file
    already requires nss >= 3.41.
    
    Scenario: when IPA CA is switched from self-signed to externally-signed,
    then back to self-signed, the same nickname can be used in
    /etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If
    the original and renewed certs are present in the NSS db, running
    $ certutil -O -n <IPA CA alias>
    produces a complex output like the following (this command is used to find
    the trust chain):
    "CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]
    
      "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
    
        "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
    
    The renewal code is disturbed by this output.
    If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is
    used to extract the trust chain, the output is as expected for a self-signed
    cert:
    "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
    
    As a result, the scenario self-signed > externally signed > self-signed
    works.
    
    Fixes: https://pagure.io/freeipa/issue/7926
    Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
file modified
+3 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.