dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
377 stars 138 forks source link

Export a cert that has no priv key using PKCS12Export tool and importing to another nss db using pk12util shows NULL #2072

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #1513. Originally filed by aakkiang (@aakkiang) on 2015-07-24 04:05:43:


Export a certificate that has no private key along with other cert/keys in the nssdb using PKCS12Export tool and import to aother nss db using pk12util shows certificate nickname as NULL.

Steps to Reproduce:

I have a caocspsigning cert imported from CA to KRA's subsystem db with a trust
"C,,". Exported the certs & keys from KRA's nss db using PKCS12Export and
imported using pk12util to a fresh nss db. The "caocspsigning" cert shows up as
NULL.  Also, the trust bits for "PKI ROOTCA Signing Cert - redhat" and
"kra3auditsigningcert" are not the same after the import.

# certutil -L -d /var/lib/pki/rootkra/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI ROOTCA Signing Cert - redhat                             CT,c,
kra3transportcert                                            u,u,u
Server-Cert cert-pki-RootCA                                  u,u,u
kra3auditsigningcert                                         u,u,Pu
kra3storagecert                                              u,u,u
kra3subsystemcert                                            u,u,u
caocspsigningcert                                            C,,

# PKCS12Export -d /var/lib/pki/rootkra/alias -o KRA_SUBSYSTEM_CERTS -p
./password  -w ./password

# pk12util -d /root/temp12/ -i ./KRA_SUBSYSTEM_CERTS
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

# certutil -L  -d /root/temp12

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

kra3transportcert                                            u,u,u
Server-Cert cert-pki-RootCA                                  u,u,u
kra3auditsigningcert                                         u,u,u
PKI ROOTCA Signing Cert - redhat                             ,,
kra3storagecert                                              u,u,u
kra3subsystemcert                                            u,u,u
(NULL)                                                       ,,
pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2015-07-28 01:59:09

Per CS/DS Meeting of 07/27/2015: 10.3 (low)

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2016-05-06 19:49:17

Per Bug Triage of 05/05/2016: 10.4

NOTE: Might be a NSS issue (pk12util bug?).

pki-bot commented 4 years ago

Comment from aakkiang (@aakkiang) at 2017-02-27 14:10:46

Metadata Update from @aakkiang:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-08-31 13:46:52

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 18:21:07

[20171025] - Offline Triage ==> 10.6

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 18:21:07

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-04-13 18:25:13

Per 10.5.x/10.6 Triage: 10.6

mharmsen: as this issue is quite old, it needs to be re-verified with more recent bits to see if it is still a problem