[Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil
Rob Crittenden
rcritten at redhat.com
Wed Mar 16 13:45:34 UTC 2016
Martin Basti wrote:
>
>
> On 15.03.2016 07:26, David Kupka wrote:
>> On 14/03/16 09:29, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5117>
>>> and <https://fedorahosted.org/freeipa/ticket/5720>.
>>>
>>> Honza
>>>
>>>
>>>
>> Hi, thanks for the patch. I haven't found any distortion of affected
>> use cases, ACK.
>>
> Pushed to:
> ipa-4-2: 00097c1dd82f55b1e004b9d6eb4f6ed7fb6ffca8
> ipa-4-3: b7bf55e951cabf77aa72b4b795396b52b801f8ba
> master: 54a59475f301267c7263a649df1b992e9b3e08aa
>
Hmm, I'm unable to reproduce this behavior. I have a database with two
server certs, same nickname:
$ certutil -L -d /tmp/db -n Server-Cert -a
-----BEGIN CERTIFICATE-----
<blob>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<blob>
-----END CERTIFICATE-----
$ certutil -L -d /tmp/db -n Server-Cert |grep Serial
Serial Number: 7 (0x7)
Serial Number: 6 (0x6)
$ certutil -L -d /tmp/db -n Server-Cert -r -o /tmp/server.der
$ /usr/lib64/nss/unsupported-tools/derdump -i /tmp/server.der |grep -C 2
Integer
C-Sequence (554)
C-[0] (3)
Integer (1)
02
Integer (1)
07
C-Sequence (13)
--
C-Sequence (554)
C-[0] (3)
Integer (1)
02
Integer (1)
06
C-Sequence (13)
$ openssl x509 -text -in /tmp/server.der -inform der |grep Serial
Serial Number: 7 (0x7)
I guess it's something else, python-nss perhaps, that can't handle a DER
with multiple certs in it. So no need to file a mozilla bug I suppose.
rob
More information about the Freeipa-devel
mailing list