freeipa team mailing list archive

Thread
Date

[Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1813919@xxxxxxxxxxxxxxxxxx>
Date: Mon, 04 Mar 2019 11:40:23 -0000
Reply-to: Bug 1813919 <1813919@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dogtag-pki (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813919

Title:
  Incorrect trust flags in NSSDB when renewing subsystem certificates

Status in dogtag-pki package in Ubuntu:
  Confirmed

Bug description:
  OS: ubuntu 18.04
  Dogtag: 10.6.0

  When renewing subsystem certificates in dogtag (by following the
  process described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.

  The certificate IDs are:

  'ocsp_signing'        (gets 'u,u,u' should get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')
  'ca_audit_signing'    (gets 'u,u,u' should get 'u,u,Pu')


  To fix this certutil must be executed to correct them.

  In case anyone else finds this bugreport and need an emergency fix,

  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat CA'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions

References

[Bug 1813919] [NEW] Incorrect trust flags in NSSDB when renewing subsystem certificates
From: travis armstrong, 2019-01-30