system certificate-install deletes ca cert files that contains no private key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Reinildes Oliveira |
Bug Description
Brief Description
-------
The command "system certificate-install -m ssl_ca xxx.pem" will give a warning about deleting the certificate file used, where the reason given is that the file contains a private key. But the ssl_ca does not contain a private key and it is also deleted. It's a hardening measure which is applied a too broadly.
Severity
-------
Minor
Steps to Reproduce
-------
Create a root ca certificate, as described upstream:
https:/
and install the file using "system certificate-install -m ssl_ca <cert_file_pem>
Expected Behavior
-------
Keep the file. As the file does not contain the private key information, its deletion does not contribute to security.
Actual Behavior
-------
The file is deleted with warning text "WARNING: For security reasons, the original certificate, containing the private key, will be removed, once the private key is processed."
Reproducibility
-------
Reproducible
System Configuration
-------
Any
Branch/Pull Time/Commit
-------
stx master August 24
Last Pass
-------
N/A - original behavior
Timestamp/Logs
-------
N/A
Alarms
-------
N/A
Test Activity
-------
HTTPS, cert-man/
Workaround
-------
Manually preserve a copy of the certificate chain
Changed in starlingx: | |
assignee: | nobody → Reinildes Oliveira (rjosemat) |
Changed in starlingx: | |
importance: | Undecided → Low |
tags: | added: stx.6.0 stx.security |
Fix proposed to branch: master /review. opendev. org/c/starlingx /config/ +/812185
Review: https:/