In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname.
The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022 ACKed by mharmsen (thanks!). Pushed to master. -- Endi S. Dewata
>From 5223c875b830dc1fc6dc9d9e622ded326a9eeacb Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 25 Mar 2016 03:33:05 +0100 Subject: [PATCH] Fixed certificate chain import problem. In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022 --- .../server/deployment/scriptlets/configuration.py | 24 ++++++++++++---------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 79b66757aca48b9738a2a8eea4c65e9bd004822a..f93a24723375ee3fc5139473f2d37daea0866910 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -157,18 +157,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr - # If specified, import external CA cert into NSS database. - external_ca_cert_chain_nickname = \ - deployer.mdict['pki_external_ca_cert_chain_nickname'] - external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] - if external_ca_cert_chain_file: - cert_chain, _nicks = nssdb.import_cert_chain( - nickname=external_ca_cert_chain_nickname, - cert_chain_file=external_ca_cert_chain_file, - trust_attributes='CT,C,C') - subsystem.config['ca.external_ca_chain.cert'] = cert_chain - # If specified, import externally-signed CA cert into NSS database. + # Note: CA cert must be imported before the cert chain to ensure that + # the CA cert is imported with the correct nickname. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: @@ -183,6 +174,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) + # If specified, import cert chain into NSS database. + external_ca_cert_chain_nickname = \ + deployer.mdict['pki_external_ca_cert_chain_nickname'] + external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] + if external_ca_cert_chain_file: + cert_chain, _nicks = nssdb.import_cert_chain( + nickname=external_ca_cert_chain_nickname, + cert_chain_file=external_ca_cert_chain_file, + trust_attributes='CT,C,C') + subsystem.config['ca.external_ca_chain.cert'] = cert_chain + # Export CA cert from NSS database and import it into CS.cfg. signing_cert_data = nssdb.get_cert( nickname=signing_nickname, -- 2.5.0
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
