diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-14 12:19:25 +1000 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-15 11:41:04 +1000 |
| commit | 41aef5254c20301851716ef46b614d185b33a87b (patch) | |
| tree | 6a8f086130e5703f37c2764f29ad28fd216d551f /base/java-tools/src/com | |
| parent | 4c6049e0df753e8bf9beca0a54a18481f7eee72f (diff) | |
| download | pki-41aef5254c20301851716ef46b614d185b33a87b.tar.gz pki-41aef5254c20301851716ef46b614d185b33a87b.tar.xz pki-41aef5254c20301851716ef46b614d185b33a87b.zip | |
Do not attempt cert update unless signing key is present
If an authority entry is read with the authoritySerial attribute,
and the serial differs from the known serial or the serial was
previously unknown, Dogtag attempts to update the certificate in the
NSSDB. The procedure is carried out during initialisation, and if it
fails an exception is thrown, causing the CA to remain unknown.
If the signing key is not yet in the NSSDB, the update is certain to
fail. This can happen e.g. if CA is created on one clone while
another clone is down. When the other clone comes up, it will
immediately see the authoritySerial and trigger this scenario.
To avoid this scenario, only attempt to update the certificate if
the signing unit initialisation completed successfully, implying the
presence of the signing key.
Fixes: https://fedorahosted.org/pki/ticket/2359
Diffstat (limited to 'base/java-tools/src/com')
0 files changed, 0 insertions, 0 deletions