Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: dogtag-pki (Ubuntu) Status: New => Confirmed
-- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1813919 Title: Incorrect trust flags in NSSDB when renewing subsystem certificates Status in dogtag-pki package in Ubuntu: Confirmed Bug description: OS: ubuntu 18.04 Dogtag: 10.6.0 When renewing subsystem certificates in dogtag (by following the process described here: https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will break due to incorrect trust flags in NSS. The certificate IDs are: 'ocsp_signing' (gets 'u,u,u' should get 'CTu,Cu,Cu') 'ocsp_audit_signing' (gets 'u,u,u' should get 'u,u,Pu') 'ca_audit_signing' (gets 'u,u,u' should get 'u,u,Pu') To fix this certutil must be executed to correct them. In case anyone else finds this bugreport and need an emergency fix, certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'ocspSigningCert cert-pki-tomcat OCSP' certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat OCSP' certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat CA' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp