Export a cert that has no priv key using PKCS12Export tool and importing to another nss db using pk12util shows NULL

[pki-bot]

This issue was migrated from Pagure Issue #1513. Originally filed by aakkiang (@aakkiang) on 2015-07-24 04:05:43:

• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1246260

---

Export a certificate that has no private key along with other cert/keys in the nssdb using PKCS12Export tool and import to aother nss db using pk12util shows certificate nickname as NULL.

Steps to Reproduce:

I have a caocspsigning cert imported from CA to KRA's subsystem db with a trust
"C,,". Exported the certs & keys from KRA's nss db using PKCS12Export and
imported using pk12util to a fresh nss db. The "caocspsigning" cert shows up as
NULL.  Also, the trust bits for "PKI ROOTCA Signing Cert - redhat" and
"kra3auditsigningcert" are not the same after the import.

# certutil -L -d /var/lib/pki/rootkra/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI ROOTCA Signing Cert - redhat                             CT,c,
kra3transportcert                                            u,u,u
Server-Cert cert-pki-RootCA                                  u,u,u
kra3auditsigningcert                                         u,u,Pu
kra3storagecert                                              u,u,u
kra3subsystemcert                                            u,u,u
caocspsigningcert                                            C,,

# PKCS12Export -d /var/lib/pki/rootkra/alias -o KRA_SUBSYSTEM_CERTS -p
./password  -w ./password

# pk12util -d /root/temp12/ -i ./KRA_SUBSYSTEM_CERTS
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

# certutil -L  -d /root/temp12

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

kra3transportcert                                            u,u,u
Server-Cert cert-pki-RootCA                                  u,u,u
kra3auditsigningcert                                         u,u,u
PKI ROOTCA Signing Cert - redhat                             ,,
kra3storagecert                                              u,u,u
kra3subsystemcert                                            u,u,u
(NULL)                                                       ,,

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-07-28 01:59:09

Per CS/DS Meeting of 07/27/2015: 10.3 (low)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-05-06 19:49:17

Per Bug Triage of 05/05/2016: 10.4

NOTE: Might be a NSS issue (pk12util bug?).

[pki-bot]

Comment from aakkiang (@aakkiang) at 2017-02-27 14:10:46

Metadata Update from @aakkiang:

• Issue set to the milestone: UNTRIAGED

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-31 13:46:52

Metadata Update from @mharmsen:

• Custom field feature adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field version adjusted to None
• Issue close_status updated to: None
• Issue priority set to: major (was: minor)
• Issue set to the milestone: 10.5 (was: UNTRIAGED)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-25 18:21:07

[20171025] - Offline Triage ==> 10.6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-25 18:21:07

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.6 (was: 10.5)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-13 18:25:13

Per 10.5.x/10.6 Triage: 10.6

mharmsen: as this issue is quite old, it needs to be re-verified with more recent bits to see if it is still a problem