← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00906

[Bug 1813919] [NEW] Incorrect trust flags in NSSDB when renewing subsystem certificates

  Thread PreviousDate PreviousThread Next 
Public bug reported:

OS: ubuntu 18.04
Dogtag: 10.6.0

When renewing subsystem certificates in dogtag (by following the process
described here:
https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
break due to incorrect trust flags in NSS.

The certificate IDs are:

'ocsp_signing'        (gets 'u,u,u' shoud get 'CTu,Cu,Cu')
'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')

To fix this certutil must be executed to correct them.

In case anyone else finds this bugreport and need an emergency fix,

certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
'ocspSigningCert cert-pki-tomcat OCSP'

certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
'auditSigningCert cert-pki-tomcat OCSP'

** Affects: dogtag-pki (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

+ OS: ubuntu 18.04
+ Dogtag: 10.6.0
+ 
  When renewing subsystem certificates in dogtag (by following the process
  described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.
  
  The certificate IDs are:
  
  'ocsp_signing'        (gets 'u,u,u' shoud get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')
  
  To fix this certutil must be executed to correct them.
  
  In case anyone else finds this bugreport and need an emergency fix,
  
  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'
  
  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813919

Title:
  Incorrect trust flags in NSSDB when renewing subsystem certificates

Status in dogtag-pki package in Ubuntu:
  New

Bug description:
  OS: ubuntu 18.04
  Dogtag: 10.6.0

  When renewing subsystem certificates in dogtag (by following the
  process described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.

  The certificate IDs are:

  'ocsp_signing'        (gets 'u,u,u' shoud get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')

  To fix this certutil must be executed to correct them.

  In case anyone else finds this bugreport and need an emergency fix,

  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next