pki-server ca-cert-chain-export does not appear to export the entire chain for a sub-CA

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.

https://www.dogtagpki.org

GNU General Public License v2.0

344 stars 133 forks source link

pki-server ca-cert-chain-export does not appear to export the entire chain for a sub-CA #3071

Open pki-bot opened 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #2953. Originally filed by tvaughan (@trevor-vaughan) on 2018-03-02 10:20:55:

Assigned to nobody

I have set up a root and sub CA and am attempting to export the entire certificate chain for the sub CA using the following command:

pki-server ca-cert-chain-export -i sub-ca --pkcs12-file sub-ca-chain.p12 --pkcs12-password-file sub-ca.pwd

When run, this is only exporting the root CA certificate and does not output both the sub CA and the root CA certificate which is what I was expecting.

Package Version: pki-server-10.4.1-17.el7_4.noarch

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2018-03-07 21:08:24

Metadata Update from @mharmsen:

Custom field component adjusted to None
Custom field feature adjusted to None
Custom field origin adjusted to None
Custom field proposedmilestone adjusted to None
Custom field proposedpriority adjusted to None
Custom field reviewer adjusted to None
Custom field type adjusted to None
Custom field version adjusted to None
Issue set to the milestone: 0.0 NEEDS_TRIAGE

pki-bot commented 3 years ago

Comment from edewata (@edewata) at 2018-03-09 19:46:07

Hi, I think the pki-server ca-cert-chain-export command was originally intended to export the cert chain of the system certs, excluding the leaf cert itself. So if you have a sub CA cert, the cert chain is just the root CA cert.

It might not be a very useful command, so we might deprecate it in the future. There is a better command to export the CA signing cert with the complete chain:

$ pki-server cert-export ca_signing ...

or if that is not available in PKI 10.4, try this:

$ pki-server subsystem-cert-export ca signing ...

If that works, feel free to close this ticket, or keep it open to deprecate the pki-server ca-cert-chain-export. Thanks!

pki-bot commented 3 years ago

Comment from tvaughan (@trevor-vaughan) at 2018-03-13 21:51:06

@edewata The second command subsystem-cert-export worked for my purposes.

I would suggest updating the documentation to reflect the proper method for doing this and definitely deprecating, or changing, the ca-cert-chain-export command.

Thanks for the help, this can be closed.