[branch v11.5] Include -a when calling certutil to verify a certificate exists #4783
Conversation
Without the -a certutil pauses just prior to displaying the trust flags. This is strange because the flags are stored in the internal token which is what is being queried. Only the internal token password is made available to certutil. The call looks like this in an IPA installation: certutil -L -d /etc/pki/pki-tomcat/alias -h internal \ -f/etc/pki/pki-tomcat/pfile -n 'Directory Server CA certificate' In any case adding -a skips this trust value and displays the cert as a PEM and doesn't require the password. Fixes: dogtagpki#4782 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
There was a problem hiding this comment.
LGTM. Thanks!
This code has been that way for a long time, so I suppose something changed recently in NSS or some other packages triggering this new behavior. Do you think that's a bug, or is that the proper behavior?
Looks like this code doesn't exist anymore in the master branch so there's no need cherry-pick this patch.
I don't recall seeing this during development of HSM in IPA but there are several permutations when installing the KRA. It's possible I overlooked this. |
Without the -a certutil pauses just prior to displaying the trust flags. This is strange because the flags are stored in the internal token which is what is being queried. Only the internal token password is made available to certutil.
The call looks like this in an IPA installation:
certutil -L -d /etc/pki/pki-tomcat/alias -h internal \ -f/etc/pki/pki-tomcat/pfile -n 'Directory Server CA certificate'
In any case adding -a skips this trust value and displays the cert as a PEM and doesn't require the password.
Fixes: #4782