It appears that the CAValidity constraint is not applied during installation. As a consequence, the subsystem certs created per .profile's could have notAfter beyond that of the CA signing cert imported during "external" or "existing" CA.
Workaround could be to change the .profile's ( <instance dir>/ca/conf/*.profile) of the subsystem certs so that the "range" parameter is not beyond that of the CA signing cert's notAfter value.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1350983
pushed to master:
commit 659c90869a27871eda27fd730d00b0499873dae2 Author: Christina Fu cfu@redhat.com Date: Tue Jun 28 18:00:03 2016 -0700
Ticket 2389 Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA This patch implements validity check on the notAfter value of the certInfo and adjusts it to that of the CA's notAfter if exceeding
Looks like it broke regular installation as CA signing cert is not available at that point. Reopened.
commit ee68baccc5510184ff67b903288410d3ccc6a831 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Mon Jul 11 17:51:57 2016 -0700
Ticket #2389 fix for regular CA installation This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356311
Metadata Update from @cfu: - Issue assigned to cfu - Issue set to the milestone: 10.3.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2509
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.