From Fedora Project Wiki
(Add note about .rpmnew vs .rpmsave) |
No edit summary |
||
Line 19: | Line 19: | ||
#: <pre># openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER</pre> | #: <pre># openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER</pre> | ||
#: <pre># keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test</pre> | #: <pre># keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test</pre> | ||
#: fholec: does not seem like a valid command, this worked for me: | |||
#: <pre># keytool -importcert -file cert-test.der -keystore /etc/pki/java/cacerts -alias p11-test</pre> | |||
#: The password is 'changeit', answer 'yes' when prompted | #: The password is 'changeit', answer 'yes' when prompted | ||
#: Should see "Certificate was added to keystore" | #: Should see "Certificate was added to keystore" |
Revision as of 11:36, 28 March 2013
Description
This tests what happens when a ca-bundle.crt bundle has been modified in a previous Fedora release, which is then upgraded to use shared system cetrificates.
Setup
- Prepare a clean Fedora 18 install.
- You can setup a new virtual machine using the Fedora 18 Live CD.
- Proceed with the setup as usual, and complete first boot, then log in.
- Install
wget
sudo yum install wget
- Download the necessary certificate file:
$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem
- Become root
$ sudo -s
- The commands below should be executed as root
How to test
- Modify the
ca-bundle.crt
ca-bundle.trust.crt' and
cacerts` files, by adding a certificate:# cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
# cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt
- Modify the 'cacerts` file by adding a certificate:
# openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER
# keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test
- fholec: does not seem like a valid command, this worked for me:
# keytool -importcert -file cert-test.der -keystore /etc/pki/java/cacerts -alias p11-test
- The password is 'changeit', answer 'yes' when prompted
- Should see "Certificate was added to keystore"
- Verify that the files have been modified
#rpm -V ca-certificates
- You should see all the three files modified above listed.
- Upgrade the packages in question to Fedora 19
# yum update --nogpgcheck --releasever=19 update ca-certificates
- A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed.
- Alternatively you may perform a complete upgrade
Expected Results
- You should see that the bundles which were modified above, are now saved as
.rpmsave
files in these locations:/etc/pki/java/cacerts.rpmsave
/etc/pki/tls/certs/ca-bundle.crt.rpmsave
/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave
- Verify that the java
.rpmsave
file contains the added certificate:$ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test
- The password is 'changeit'
- You should see a line of output that contains "p11-test" and "trustedCertEntry"
- Verify that the java in use cacerts file does not contain the added certificate:
$ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test
- The password is 'changeit'
- You should see no certificate lines of output.
- Verify that the
ca-bundle.crt.rpmsave
file contains your added certificate:$ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject
- You should see a line of output that contains "p11-kit Test CA"
- Verify that the
ca-bundle.trust.crt.rpmsave
file contains your added certificate:$ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject
- You should see a line of output that contains "p11-kit Test CA"
Troubleshooting
- Because rpm is broken in this case (see bug for details), we use
.rpmsave
instead of.rpmnew
files here. But because upgrading a Fedora system is not a completely seamless and supported operation this is an appropriate compromise.