View Issue Details

IDProjectCategoryView StatusLast Update
0001915Rocky-Linux-9ca-certificatespublic2023-01-30 00:39
ReporterPetr Kracik Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0001915: ca-bundle.trust.crt contains expired CA certificates
DescriptionWe have monitoring script, which monitor /etc/pki/tls for expiring (or expired) certificates, after reinstall to Rocky 9 it start show expired certs in this (/etc/pki/tls/certs/ca-bundle.trust.crt) bundle.

I randomly check some CA contained inthat file and really there are few certificates expired around 10 years ago.
I've check mozilla CA bundle, but those CA does not seems to be there. So I do not know how they are came from.

I found some source at /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
Steps To ReproduceInstall fresh minimal Rocky 9.1 (I did it from PXE)
Additional InformationCA-Certificates package is latest available in el9 (by date of write of this report)

# rpm -qa |grep ca-certificates
ca-certificates-2022.2.54-90.2.el9.noarch


Check file /etc/pki/tls/certs/ca-bundle.trust.crt with openssl, first was expired 12 years ago

# Issuer: C = AT, ST = Austria, L = Vienna, O = ARGE DATEN - Austrian Society for Data Protection, OU = A-CERT Certification Service, CN = A-CERT ADVANCED, emailAddress = info@a-cert.at
# Validity
# Not Before: Oct 23 14:14:14 2004 GMT
# Not After : Oct 23 14:14:14 2011 GMT
TagsNo tags attached.

Activities

Akemi Yagi

Akemi Yagi

2023-01-30 00:39

reporter   ~0002245

What I can say is that the same file on RHEL systems has the same date range:

$ openssl x509 -text -noout -in /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = AT, ST = Austria, L = Vienna, O = ARGE DATEN - Austrian Society for Data Protection, OU = A-CERT Certification Service, CN = A-CERT ADVANCED, emailAddress = info@a-cert.at
        Validity
            Not Before: Oct 23 14:14:14 2004 GMT
            Not After : Oct 23 14:14:14 2011 GMT

while ca-bundle.crt shows:

$ openssl x509 -text -noout -in /etc/pki/tls/certs/ca-bundle.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
        Validity
            Not Before: May 5 09:37:37 2011 GMT
            Not After : Dec 31 09:37:37 2030 GMT

Therefore you may need to ask Red Hat why the two certificates are set up that way.

Issue History

Date Modified Username Field Change
2023-01-25 15:10 Petr Kracik New Issue
2023-01-30 00:39 Akemi Yagi Note Added: 0002245