** Description changed: OS: ubuntu 18.04 Dogtag: 10.6.0 When renewing subsystem certificates in dogtag (by following the process described here: https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will break due to incorrect trust flags in NSS. The certificate IDs are: - 'ocsp_signing' (gets 'u,u,u' shoud get 'CTu,Cu,Cu') + 'ocsp_signing' (gets 'u,u,u' should get 'CTu,Cu,Cu') 'ocsp_audit_signing' (gets 'u,u,u' should get 'u,u,Pu') + 'ca_audit_signing' (gets 'u,u,u' should get 'u,u,Pu') + To fix this certutil must be executed to correct them. In case anyone else finds this bugreport and need an emergency fix, certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'ocspSigningCert cert-pki-tomcat OCSP' certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat OCSP' + + certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n + 'auditSigningCert cert-pki-tomcat CA'
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813919 Title: Incorrect trust flags in NSSDB when renewing subsystem certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
