Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1357075 - pki client-cert-import --trust option does not apply the specified trust bits
Summary: pki client-cert-import --trust option does not apply the specified trust bits
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 7.3
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-15 16:07 UTC by Roshni
Modified: 2016-11-04 05:26 UTC (History)
1 user (show)

Fixed In Version: pki-core-10.3.3-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:26:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2396 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2016-11-03 13:55:03 UTC

Description Roshni 2016-07-15 16:07:14 UTC
Description of problem:
pki client-cert-import --trust option does not apply the specified trust bits

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
pki -d /etc/dirsrv/slapd-topology-06-testingmaster -C /etc/dirsrv/slapd-topology-06-testingmaster/password.txt -h localhost -p 20080 client-cert-import "CA Certificate" --ca-cert /etc/dirsrv/slapd-topology-06-testingmaster/ca.crt --trust CT,CT,CT

Actual results:

Imported certificate "CA Certificate"
[root@pki1 ~]# certutil -L -d /etc/dirsrv/slapd-topology-06-testingmaster
Certificate Nickname                                         Trust Attributes
CA Certificate                                               CT,c,

Expected results:

The imported certificate should have trust bits set to "CT,C,C"

Additional info:

Comment 2 Matthew Harmsen 2016-07-20 20:30:44 UTC
Upstream ticket:

Comment 3 Matthew Harmsen 2016-08-03 00:42:09 UTC
[alee@localhost pki]$ git push origin master Counting objects: 50, done. Delta compression using up to 8 threads. Compressing objects: 100% (46/46), done. Writing objects: 100% (50/50), 8.80 KiB | 0 bytes/s, done. Total 50 (delta 39), reused 0 (delta 0) To ​ssh://

    cb72f5b..7cfff9f master -> master

* 7cfff9fb0c08d08f57d6229cb8a67d7c94f785aa

Comment 5 Roshni 2016-09-07 16:11:15 UTC
[root@auto-hv-02-guest02 certsdb]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 8.el7
Architecture: noarch
Install Date: Wed 31 Aug 2016 02:28:11 PM EDT
Group       : System Environment/Daemons
Size        : 2430595
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.3.3-8.el7.src.rpm
Build Date  : Tue 30 Aug 2016 03:23:27 PM EDT
Build Host  :
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <>
Vendor      : Red Hat, Inc.
URL         :
Summary     : Certificate System - Certificate Authority

[root@auto-hv-02-guest02 certsdb]# pki -d . -c Secret123 -h localhost -p 8080 client-cert-import "CA Certificate" --ca-cert ca.pem --trust CT,CT,CT
Imported certificate "CA Certificate"
[root@auto-hv-02-guest02 certsdb]# certutil -L -d .

Certificate Nickname                                         Trust Attributes

PKI CA Administrator for Example.Org                         u,u,u
CA Certificate                                               CT,C,C

Comment 7 errata-xmlrpc 2016-11-04 05:26:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.