search

CZERTAINLY / CZERTAINLY-Core

CZERTAINLY - core of the platform managing certificate lifecycle management related tasks
https://www.czertainly.com
MIT License
4 stars 13 forks source link

CA certificate uploaded via API is not trusted #784

Closed semik closed 2 months ago

semik commented 2 months ago

Describe the bug

CA certificate uploaded via API not trusted even when marked as trusted.

I wrote script which first uses /api/v1/certificates/upload to upload a certificate. From this call it receives UUID of the cert, after that it marks the certificate as trusted by calling /api/v1/certificates/<UUID> with body:

{
  'trustedCa': True
}

But in UI it still marked as untrusted in Certificate list. I need to visit certificate detail which causes that cert is now trusted. Without any action from my side.

Certificates get really trusted after 24h when automatic update job started to work on them.

To Reproduce

Use API to upload and mark certificate as trusted. My script: upload-cert.py.

Expected behavior

I expected that after marking certificate trusted via API, CZERTAINLY immediately start to trust them.

Screenshots Please note black dot in front of TWCA Root Certification Authority: image

When I click on CA name it displays detail. The Trusted CA switch was ON (because of fact I set it wia API call) Sometimes I noted that Validation Status switched from black to green Valid. Sometimes the action was not visible and page loaded with Valid status: image

When I return back to Certificate list, TWCA Root Certification Authority is marked as trusted: image

Additional context

I was testing on CZERTAINLY version 2.11.0

3keyroman commented 2 months ago

Using the API for uploading and marking the CA certificate as trusted is working properly, also based on your script and screenshot, the Trusted CA property is changed.

The validation of certificate is triggered periodically and using the algorithms described here: https://docs.czertainly.com/docs/certificate-key/concept-design/core-components/certificate#validation.

The validation of certificate is handled using the updateCertificateStatusJob scheduled job that is triggered once per hour and should check 1/24 of certificates, eventually it should cover validity of all certificates once per day.

The validation of certificate is also triggered independently of the scheduled job when you request details about the certificate using the Get Certificate Details API.

So when you mark CA certificate as trusted, the certificates that are issued by this CA will be validated according the algorithm described.

I do not consider this behaviour as bug.

semik commented 2 months ago

I accepts your arguments, this is not a bug. I misunderstood meaning of trustedCA and validation.

I modified my script to call validation (not just getting certs detail) after setting trustedCA = true, and it started working. Code is now in company repo.

Thanks for explanation. I'm closing this issue.