Ubuntu
dogtag-pki package

Incorrect trust flags in NSSDB when renewing subsystem certificates

Bug #1813919 reported by travis armstrong
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dogtag-pki (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

OS: ubuntu 18.04
Dogtag: 10.6.0

When renewing subsystem certificates in dogtag (by following the process described here: https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will break due to incorrect trust flags in NSS.

The certificate IDs are:

'ocsp_signing' (gets 'u,u,u' should get 'CTu,Cu,Cu')
'ocsp_audit_signing' (gets 'u,u,u' should get 'u,u,Pu')
'ca_audit_signing' (gets 'u,u,u' should get 'u,u,Pu')

To fix this certutil must be executed to correct them.

In case anyone else finds this bugreport and need an emergency fix,

certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'ocspSigningCert cert-pki-tomcat OCSP'

certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat OCSP'

certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat CA'

See original description
travis armstrong (trams)
description: updated
travis armstrong (trams)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dogtag-pki (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.