update_ra_cert_store migrates RA cert and key from /etc/httpd/alias to /var/lib/ipa/ra-agent.pem and `/var/lib/ipa/ra-agent.key. It also removes the public cert from/etc/httpd/alias`` but it does not remove the private key. This leaves a dangling private key in the cert database.
update_ra_cert_store
/etc/httpd/alias
/var/lib/ipa/ra-agent.pem
. It also removes the public cert from
$ sudo certutil -L -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -n ipaCert certutil: Could not find cert: ipaCert : PR_FILE_NOT_FOUND_ERROR: File not found $ sudo certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -n ipaCert certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa ipaCert
/etc/httpd/alias should no longer contain ipaCert private key.
all
Hello,
Looks you are talking about ipa Session Key to be removed after upgrade?
lrwxrwxrwx 1 root root 24 Jan 4 10:26 libnssckbi.so -> /usr/lib64/libnssckbi.so -rw-r----- 1 root apache 16384 Jan 4 10:26 secmod.db.orig -rw-r----- 1 root apache 24576 Jan 4 10:26 key3.db.orig -rw-r----- 1 root apache 65536 Jan 4 10:26 cert8.db.orig -rw------- 1 root root 5274 Jan 4 10:26 install.log -rw-rw---- 1 root apache 20 Jan 4 10:47 pwdfile.txt -rw-rw---- 1 root apache 16384 Jan 4 10:47 secmod.db -rw-------. 1 root root 32 Jan 5 01:39 ipasession.key <<<<<<<<< -rw-rw---- 1 root apache 24576 Jan 4 11:02 key3.db -rw-rw---- 1 root apache 65536 Jan 4 11:02 cert8.db
No, I'm not talking about the session key. That's a different issue. Please open a new issue for ipasession.key. Good catch!
ipasession.key
certdb.delete_cert() runs the command certutil ... -D -n ipaCert, which removes only the public cert from NSSDB. The associated private key is not removed. To remove private key, certutil ... -F -n ipaCert is required, perhaps with -k option.
certdb.delete_cert()
certutil ... -D -n ipaCert
certutil ... -F -n ipaCert
-k
Yah I found ipapython/certdb.py def delete_cert(self, nick): self.run_certutil(["-D", "-n", nick])
But Is it necessary to "List the key ID of keys in the key database." with -k option?
Going thru the options.
PR:https://github.com/freeipa/freeipa/pull/1441
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)
FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3380
master:
ipa-4-7:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-8:
Login to comment on this ticket.