Incorrect trust flags in NSSDB when renewing subsystem certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dogtag-pki (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
OS: ubuntu 18.04
Dogtag: 10.6.0
When renewing subsystem certificates in dogtag (by following the process described here: https:/
The certificate IDs are:
'ocsp_signing' (gets 'u,u,u' should get 'CTu,Cu,Cu')
'ocsp_audit_
'ca_audit_signing' (gets 'u,u,u' should get 'u,u,Pu')
To fix this certutil must be executed to correct them.
In case anyone else finds this bugreport and need an emergency fix,
certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/
certutil -M -t 'u,u,Pu' -d 'sql:/etc/
certutil -M -t 'u,u,Pu' -d 'sql:/etc/
Status changed to 'Confirmed' because the bug affects multiple users.