(Based on https://bugzilla.redhat.com/show_bug.cgi?id=1641988)
External CA renewal, when changing from self-signed to externally-signed, accepts an IPA CA certificate with empty Subject Key Identifier. This is technically legal in X.509, but operationally it is highly problematic. Furthermore, due to a bug in Dogtag (https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag startup failure.
Steps to Reproduce
Certificate with empty or absent Subject Key Identifier should be rejected.
This check should also be carried out in initial CA installation, if it is not already.
Metadata Update from @ftweedal: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1641988
PR: https://github.com/freeipa/freeipa/pull/2548
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2548
master:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.