Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1685912
Description of problem: An IdM object can contain more than one certificate. When you use 'ipa service-show <principal> or 'ipa service-find', both certificates are displayed, but the 'serial' and 'expiry' date shows the data from the old rather than the renewed certificate. This is very confusing. I suppose the same is also true for host and user objects, but I didn't verify this. Version-Release number of selected component (if applicable): ipa-server-4.6.4-10.1ts.el7.x86_64 How reproducible: Always Steps to Reproduce: 1.Renew any service certificate 2.Make sure the service entry has more than one certificate attached 3.Call 'ipa service-show <service-principal> Actual results: The output shows data that belongs to the old certificate. Expected results: The output should show data that belongs to the new certificate. Additional info:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1685912
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1685912, https://bugzilla.redhat.com/show_bug.cgi?id=1685912 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1685912)
IMO would should deprecate these fields; they should not be relied upon because they can only represent one of possibly many certificates - and multiple certs may be valid concurrently. Clients should parse the userCertificate attribute values themselves, and find the information they want that way.
userCertificate
Login to comment on this ticket.