There is a regression in SQL NSSDB backend which causes certificates to not be properly associated with the private keys (i.e. now showing ultimate trust with 'u,u,u' in trust flags).
For example, after replica install the replica has an NSSDB that looks like:
# certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C ocspSigningCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,P subsystemCert cert-pki-ca ,, Server-Cert cert-pki-ca u,u,u
I have observed that the pk12util tool does not exhibit this problem because of an explicit call to PK11_ImportPublicKey. Therefore JSS key import methods should be updated to explicitly import the public key via the same subroutine.
pk12util
PK11_ImportPublicKey
The initial PR: https://github.com/dogtagpki/jss/pull/13
Another PR addresses a similar issue for LWCA key replication: https://github.com/dogtagpki/jss/pull/15
Metadata Update from @ftweedal: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue set to the milestone: 4.5.0 - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.