#7878 When more than one certificate is stored in an LDAP object, the 'ipa' tool always shows data that belongs to the old certificate
Opened 5 months ago by frenaud. Modified 4 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1685912

Description of problem:
An IdM object can contain more than one certificate. When you use 'ipa
service-show <principal> or 'ipa service-find', both certificates are
displayed, but the 'serial' and 'expiry' date shows the data from the old
rather than the renewed certificate. This is very confusing.

I suppose the same is also true for host and user objects, but I didn't verify

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Renew any service certificate
2.Make sure the service entry has more than one certificate attached
3.Call 'ipa service-show <service-principal>

Actual results:
The output shows data that belongs to the old certificate.

Expected results:
The output should show data that belongs to the new certificate.

Additional info:

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1685912

5 months ago

IMO would should deprecate these fields; they should not be relied upon because they can only represent one of possibly many certificates - and multiple certs may be valid concurrently. Clients should parse the userCertificate attribute values themselves, and find the information they want that way.

Login to comment on this ticket.