Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518101 - PKCS#7 certificates order
Summary: PKCS#7 certificates order
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-28 08:38 UTC by Geetika Kapoor
Modified: 2018-04-10 20:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 20:54:49 UTC


Attachments (Terms of Use)
test_steps (deleted)
2017-11-28 08:38 UTC, Geetika Kapoor
no flags Details

Description Geetika Kapoor 2017-11-28 08:38:56 UTC
Created attachment 1359712 [details]
test_steps

Description of problem:

PKCS#7 certificate chain certs are same but the order is not same when it is seen in CA Agent page(UI) and when observed using CMCResponse.

Refer additional Info section for detailed certificates.

Version-Release number of selected component (if applicable):

rpm -qa pki-ca
pki-ca-10.5.1-1.el7.noarch

How reproducible:

always

Steps to Reproduce:

Refer the document attached for test_steps.

Setup:
=====

RootCA --> ExternalCA --> ExternalCA1

RootCA is from nssdb.
ExternalCA is dogtag CA
ExternalCA is again CMC signed dogtag CA.

Actual results:

PKCS#7 certificate chain looks inconsistent

Expected results:

concern is two different style of  pkcs#7 certificate in
same product. following a consistent order would make a lot of things
easier including validation

Reference : To know more , I refer this.
https://tools.ietf.org/html/rfc4158 Section Introduction to
Certification Path Building, They talk about construction of certificate
path

Additional info:

Now verify the PKCS#7 certificate chain(CA signing) of ExternalCA1:

Case 1:
=======

/In case we process pkcs7 certificate using CMCResponse(as mentioned in
http://pki.fedoraproject.org/wiki/Issuing_CA_Signing_Certificate_with_CMC)/

$ CMCResponse -i ca_signing-cmc-response.bin -o cert_chain.p7b

[root@pki1 test]# cat ca_signing.crt
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQKEwdFWEFN
UExFMRMwEQYDVQQLEwpwa2ktdG9tY2F0MR8wHQYDVQQDExZDQSBTaWduaW5nIENl
cnRpZmljYXRlMB4XDTE3MTEyNDE5MDUzN1oXDTM3MTEyNDE5MDUzN1owTDEQMA4G
A1UEChMHRVhBTVBMRTEXMBUGA1UECxMOdG9wb2xvZ3ktQ0EtRVgxHzAdBgNVBAMT
FkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDXHdAmMIYoJmUsBKS6h7XMLrS8IlvV86lwDvbtSC1QFeifG95GGy+f
Wq3PKPXbOinHMzb/bQFm/ssUK89JXeTwnQO98n3xSjQ//F35JkZquDUzIktn9AIg
uWfZhUumv1735XapABsaIeHWngpGfkueOHhV71nTy02sav1jrPiAL9LZfipzf9/L
4k5+CsIQODJXtD5fhi7CZnTndo7G9FZKTuOQkVY4KScnvWP1wLt9/TQ+NH/3dgwD
6vBn6aXYmjfGVxcs/YYx5RnfNVJ0wQRi7Gmz182fYk55EQ4/gqc/TiRCgmkXLwWa
xQH66o+1/nfsz423yuhlywLcAzKPkF6BAgMBAAGjgZUwgZIwDgYDVR0jBAcwBYAD
EQuXMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTN
txDEWsmQQivql9IlysRwIqUDbjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGG
JGh0dHA6Ly9wa2kxLmV4YW1wbGUuY29tOjgwODAvY2Evb2NzcDANBgkqhkiG9w0B
AQsFAAOCAQEAWdYWAhfSpv6awPs7072qpoNmexisZv4nnVlQz3WGdlTUNa8heyb5
cIDGB/SaEt/rP8T+sJqiyB9wQYBavIfgO/YFHxte+czZSil7fkFPxNs36HSe9CH1
DSqsZNErmZebI3WonT0F5v8mrKKu8oCccY3j7BYh2W0TO39PsBoG6qBXjFaZvVr7
NeD5QZE3h760hy35XwRXjbac4aRy+SgPf8LJGAk5gTnTzJIK347ZrjJu7IsSKIyM
GWkaXwNfIb/q4AQbVALiV2Ow5+HNhlVhBhYIeppFbO6KF4+9AoV7dkqnfCrB+89V
6BJS34wUpz+9rAy8CMR9wZ3GFOpdcOclKA==
-----END CERTIFICATE-----


[root@pki1 test]# cat cert_chain.p7b


-----BEGIN PKCS7-----
MIIM0wYJKoZIhvcNAQcCoIIMxDCCDMACAQMxDzANBglghkgBZQMEAgEFADAxBggr
BgEFBQcMA6AlBCMwITAbMBkCAQEGCCsGAQUFBwcZMQowCAIBADADAgEBMAAwAKCC
Cr8wggOGMIICbqADAgECAgJeszANBgkqhkiG9w0BAQsFADA1MQ0wCwYDVQQKEwRS
T09UMSQwIgYDVQQDExtSb290IENBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTcx
MTI0MTA0NzQ1WhcNMTgwMjI0MTA0NzQ1WjA1MQ0wCwYDVQQKEwRST09UMSQwIgYD
VQQDExtSb290IENBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQzp1j7XtdVI1tT2h72zqwo5XXcXs4RR2Ob6bA58NI
v+SRp9d8tooz2R7fTxitDxvLpBsr9xLu+eHCE7AXWM97FlzaOcsHpquTqoGMX7q+
VJbGxYuEpQe2qNcCTrZF5ErqtQ+Hd0Nsfb5tMFoy2+J3HUxYSwA48DDqvP/lWkBN
EwmP16wx7jhmHSu5CXBehyiwKwUc/9QhdMk8sg1Ys36VwsSwmW64z8GaXZf5A4vR
YnffslwuFReJ3QWUW9czXXx3X1TZpxaJa5eAdbpi1mTIeUcJpFww6rQicDRDiKK9
AuYePUzpbJ4MfsCQMi4tzD0YPMufNVSKOvX07z9um7a/AgMBAAGjgZ8wgZwwOQYI
KwYBBQUHAQEELTArMCkGCCsGAQUFBzABhh1odHRwOi8vbG9jYWxob3N0OjgwODAv
Y2Evb2NzcDAdBgNVHQ4EFgQU9zigUOD/jhB4yP16x1/woro5cHIwHwYDVR0jBBgw
FoAU9zigUOD/jhB4yP16x1/woro5cHIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAcYwDQYJKoZIhvcNAQELBQADggEBAFUwUacXpjetlkF9xThs4UYnIUOV
c2hEvn4Ej7bqBfcQU5K0hnqg6Rj4W4OKffbGIg9kcAqYEcyBG/jedCd0aKXOqnIE
VRlgwz4HK3BJphAfYgkS4mX54mBYOjporyCag9PJOwZDjg1I82FNUCSGkYxZuzFh
0KMlVcTB3kR50UCS4/iy/jUZSJRksyJzW3fHfFH+YomOw0oNSHUu+A2tjqHWjF4A
F2X1qKAwMOVxi/Gwj8nMF9dB++358QiNEtjja1iUOktYmgRb5WSF2Q4cxF4Gh724
4LolFc4mFR7hSUh5jKP8vMb4zTKFASCOP/hYz3wXIfQC7P1HkQmSCve7QkgwggOI
MIICcKADAgECAgJkfTANBgkqhkiG9w0BAQsFADA1MQ0wCwYDVQQKEwRST09UMSQw
IgYDVQQDExtSb290IENBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTcxMTI0MTA0
ODE5WhcNMTgwMjI0MTA0ODE5WjBIMRAwDgYDVQQKEwdFWEFNUExFMRMwEQYDVQQL
Ewpwa2ktdG9tY2F0MR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRlMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqyIU3lk4ALev2nEouEE1Wpjc
4jYcr6itqgRZQnXDaclEMxsqpJCaWo7vElwTPTa881MA8MpSPib7cAtUnmCMI2qU
DUybbQIN2nyqUOyj/IaX6sTEAymWER/hjCNoMp2OnvsUeGEHIBtFxE3z6MP8dnXP
xSkb5hTlVrpSD4kMczAN1Dwx/nYPnrHdLNSmlTtHGsKtqW6AAVhRvA1ZvhDQcB0Y
yuuMhwjP5N6UWxgy0nfo2AkktFiepgxihuHeaGACDMIji5tucyh4PTnvj63b/mTZ
WXGKqHij8EjjdHdbtr9MVZmYCtna+6KEhCeIUsSSwSJf5v5kuzZHhinRnVEORwID
AQABo4GOMIGLMDkGCCsGAQUFBwEBBC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2xv
Y2FsaG9zdDo4MDgwL2NhL29jc3AwDAYDVR0OBAUEAxELlzAfBgNVHSMEGDAWgBT3
OKBQ4P+OEHjI/XrHX/CiujlwcjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAYOpd8NfHmTL5Xb4O38nKrqo+Ic0+wK9F
7IbwDvSdb+mihbSpbP26xYhsGkUCVWaKy/ZsxCpebbOpAJqAqb6uH/R6An8ipeOw
c4x77JrmlyO5o9+hdFkEPfbtDG27fL+G3JkeSoPQ01Tax0lSCf0s3RkkSXipmlSP
d3RrS8swiNk4YIYrhHEToPTQ7EQGcFwneQQ5VQprGJGK01ZTzEjTlrWil7VMEPJ4
fY4d+gYFNeBJndtQ5DFhpshDznsFYHjIMvKxW3SX+o7Vr8FPUWRX/+SNNgcIauql
JbH6dbAACRR26V2xjIq4GVriOf6g5I3HjBZJXl8YDC3WtGj4emJaOjCCA6UwggKN
oAMCAQICAQcwDQYJKoZIhvcNAQELBQAwSDEQMA4GA1UEChMHRVhBTVBMRTETMBEG
A1UECxMKcGtpLXRvbWNhdDEfMB0GA1UEAxMWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZTAeFw0xNzExMjQxOTA1MzdaFw0zNzExMjQxOTA1MzdaMEwxEDAOBgNVBAoTB0VY
QU1QTEUxFzAVBgNVBAsTDnRvcG9sb2d5LUNBLUVYMR8wHQYDVQQDExZDQSBTaWdu
aW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
1x3QJjCGKCZlLASkuoe1zC60vCJb1fOpcA727UgtUBXonxveRhsvn1qtzyj12zop
xzM2/20BZv7LFCvPSV3k8J0DvfJ98Uo0P/xd+SZGarg1MyJLZ/QCILln2YVLpr9e
9+V2qQAbGiHh1p4KRn5Lnjh4Ve9Z08tNrGr9Y6z4gC/S2X4qc3/fy+JOfgrCEDgy
V7Q+X4YuwmZ053aOxvRWSk7jkJFWOCknJ71j9cC7ff00PjR/93YMA+rwZ+ml2Jo3
xlcXLP2GMeUZ3zVSdMEEYuxps9fNn2JOeREOP4KnP04kQoJpFy8FmsUB+uqPtf53
7M+Nt8roZcsC3AMyj5BegQIDAQABo4GVMIGSMA4GA1UdIwQHMAWAAxELlzAPBgNV
HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUzbcQxFrJkEIr
6pfSJcrEcCKlA24wQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8v
cGtpMS5leGFtcGxlLmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEB
AFnWFgIX0qb+msD7O9O9qqaDZnsYrGb+J51ZUM91hnZU1DWvIXsm+XCAxgf0mhLf
6z/E/rCaosgfcEGAWryH4Dv2BR8bXvnM2Uope35BT8TbN+h0nvQh9Q0qrGTRK5mX
myN1qJ09Beb/JqyirvKAnHGN4+wWIdltEzt/T7AaBuqgV4xWmb1a+zXg+UGRN4e+
tIct+V8EV422nOGkcvkoD3/CyRgJOYE508ySCt+O2a4ybuyLEiiMjBlpGl8DXyG/
6uAEG1QC4ldjsOfhzYZVYQYWCHqaRWzuihePvQKFe3ZKp3wqwfvPVegSUt+MFKc/
vawMvAjEfcGdxhTqXXDnJSgxggGyMIIBrgIBAzA7MDUxDTALBgNVBAoTBFJPT1Qx
JDAiBgNVBAMTG1Jvb3QgQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZQICZH0wDQYJYIZI
AWUDBAIBBQCgSjAXBgkqhkiG9w0BCQMxCgYIKwYBBQUHDAMwLwYJKoZIhvcNAQkE
MSIEIBQxx0R9qNhOgUezXcMQjVezJBciVAkEmbzthwUhLUDHMA0GCSqGSIb3DQEB
CwUABIIBAFPQalmL7aZS4lzQX70Cc+Qdeg46UOEuecn48CQTtMiFBOrHyisG7/9o
rWgQRNq2JLgwmBeCW05dwcETcwRq6p6Q533muzPn3tkzcinWEMR6p8MaIR4zw19u
6q2bsCimx+PUGvSPG6SKFpRz5yuczhCvzcEB738oEpYIh3fuGoLUcPuBNFCFjxm/
b5gbC9pVHFuo1xzDQsKNzJcDPsrNgzIOsfwtwUBg0B3D9ttFZul5/iEne9RVAqdw
N1o7KuDcJk6XH1S51SG4k8riMkcAakUApkJ/F0SD81qd4mqv/OBWOSd12mS7FymN
aqrFyDnRDjoxGzd8/YJg+qlkDOdW41I=
-----END PKCS7-----


Certs order:

        Version: 3 (0x2)
        Serial Number: 24243 (0x5eb3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ROOT, CN=Root CA Signing Certificate
        Validity
            Not Before: Nov 24 10:47:45 2017 GMT
            Not After : Feb 24 10:47:45 2018 GMT
        Subject: O=ROOT, CN=Root CA Signing Certificate

        Version: 3 (0x2)
        Serial Number: 25725 (0x647d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ROOT, CN=Root CA Signing Certificate
        Validity
            Not Before: Nov 24 10:48:19 2017 GMT
            Not After : Feb 24 10:48:19 2018 GMT
        Subject: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

        Version: 3 (0x2)
        Serial Number: 7 (0x7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
        Validity
            Not Before: Nov 24 19:05:37 2017 GMT
            Not After : Nov 24 19:05:37 2037 GMT
        Subject: O=EXAMPLE, OU=topology-CA-EX, CN=CA Signing Certificate


&&

 CA agent page
================

All three certificates are same but order of certificates in
different.Example:

 Base 64 encoded certificate

-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQKEwdFWEFN
UExFMRMwEQYDVQQLEwpwa2ktdG9tY2F0MR8wHQYDVQQDExZDQSBTaWduaW5nIENl
cnRpZmljYXRlMB4XDTE3MTEyNDE5MDUzN1oXDTM3MTEyNDE5MDUzN1owTDEQMA4G
A1UEChMHRVhBTVBMRTEXMBUGA1UECxMOdG9wb2xvZ3ktQ0EtRVgxHzAdBgNVBAMT
FkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDXHdAmMIYoJmUsBKS6h7XMLrS8IlvV86lwDvbtSC1QFeifG95GGy+f
Wq3PKPXbOinHMzb/bQFm/ssUK89JXeTwnQO98n3xSjQ//F35JkZquDUzIktn9AIg
uWfZhUumv1735XapABsaIeHWngpGfkueOHhV71nTy02sav1jrPiAL9LZfipzf9/L
4k5+CsIQODJXtD5fhi7CZnTndo7G9FZKTuOQkVY4KScnvWP1wLt9/TQ+NH/3dgwD
6vBn6aXYmjfGVxcs/YYx5RnfNVJ0wQRi7Gmz182fYk55EQ4/gqc/TiRCgmkXLwWa
xQH66o+1/nfsz423yuhlywLcAzKPkF6BAgMBAAGjgZUwgZIwDgYDVR0jBAcwBYAD
EQuXMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTN
txDEWsmQQivql9IlysRwIqUDbjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGG
JGh0dHA6Ly9wa2kxLmV4YW1wbGUuY29tOjgwODAvY2Evb2NzcDANBgkqhkiG9w0B
AQsFAAOCAQEAWdYWAhfSpv6awPs7072qpoNmexisZv4nnVlQz3WGdlTUNa8heyb5
cIDGB/SaEt/rP8T+sJqiyB9wQYBavIfgO/YFHxte+czZSil7fkFPxNs36HSe9CH1
DSqsZNErmZebI3WonT0F5v8mrKKu8oCccY3j7BYh2W0TO39PsBoG6qBXjFaZvVr7
NeD5QZE3h760hy35XwRXjbac4aRy+SgPf8LJGAk5gTnTzJIK347ZrjJu7IsSKIyM
GWkaXwNfIb/q4AQbVALiV2Ow5+HNhlVhBhYIeppFbO6KF4+9AoV7dkqnfCrB+89V
6BJS34wUpz+9rAy8CMR9wZ3GFOpdcOclKA==
-----END CERTIFICATE-----

Base 64 encoded certificate with CA certificate chain in pkcs7 format

-----BEGIN PKCS7-----
MIIK7gYJKoZIhvcNAQcCoIIK3zCCCtsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIK
vzCCA6UwggKNoAMCAQICAQcwDQYJKoZIhvcNAQELBQAwSDEQMA4GA1UEChMHRVhB
TVBMRTETMBEGA1UECxMKcGtpLXRvbWNhdDEfMB0GA1UEAxMWQ0EgU2lnbmluZyBD
ZXJ0aWZpY2F0ZTAeFw0xNzExMjQxOTA1MzdaFw0zNzExMjQxOTA1MzdaMEwxEDAO
BgNVBAoTB0VYQU1QTEUxFzAVBgNVBAsTDnRvcG9sb2d5LUNBLUVYMR8wHQYDVQQD
ExZDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA1x3QJjCGKCZlLASkuoe1zC60vCJb1fOpcA727UgtUBXonxveRhsv
n1qtzyj12zopxzM2/20BZv7LFCvPSV3k8J0DvfJ98Uo0P/xd+SZGarg1MyJLZ/QC
ILln2YVLpr9e9+V2qQAbGiHh1p4KRn5Lnjh4Ve9Z08tNrGr9Y6z4gC/S2X4qc3/f
y+JOfgrCEDgyV7Q+X4YuwmZ053aOxvRWSk7jkJFWOCknJ71j9cC7ff00PjR/93YM
A+rwZ+ml2Jo3xlcXLP2GMeUZ3zVSdMEEYuxps9fNn2JOeREOP4KnP04kQoJpFy8F
msUB+uqPtf537M+Nt8roZcsC3AMyj5BegQIDAQABo4GVMIGSMA4GA1UdIwQHMAWA
AxELlzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
zbcQxFrJkEIr6pfSJcrEcCKlA24wQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzAB
hiRodHRwOi8vcGtpMS5leGFtcGxlLmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcN
AQELBQADggEBAFnWFgIX0qb+msD7O9O9qqaDZnsYrGb+J51ZUM91hnZU1DWvIXsm
+XCAxgf0mhLf6z/E/rCaosgfcEGAWryH4Dv2BR8bXvnM2Uope35BT8TbN+h0nvQh
9Q0qrGTRK5mXmyN1qJ09Beb/JqyirvKAnHGN4+wWIdltEzt/T7AaBuqgV4xWmb1a
+zXg+UGRN4e+tIct+V8EV422nOGkcvkoD3/CyRgJOYE508ySCt+O2a4ybuyLEiiM
jBlpGl8DXyG/6uAEG1QC4ldjsOfhzYZVYQYWCHqaRWzuihePvQKFe3ZKp3wqwfvP
VegSUt+MFKc/vawMvAjEfcGdxhTqXXDnJSgwggOIMIICcKADAgECAgJkfTANBgkq
hkiG9w0BAQsFADA1MQ0wCwYDVQQKEwRST09UMSQwIgYDVQQDExtSb290IENBIFNp
Z25pbmcgQ2VydGlmaWNhdGUwHhcNMTcxMTI0MTA0ODE5WhcNMTgwMjI0MTA0ODE5
WjBIMRAwDgYDVQQKEwdFWEFNUExFMRMwEQYDVQQLEwpwa2ktdG9tY2F0MR8wHQYD
VQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAqyIU3lk4ALev2nEouEE1Wpjc4jYcr6itqgRZQnXDaclEMxsq
pJCaWo7vElwTPTa881MA8MpSPib7cAtUnmCMI2qUDUybbQIN2nyqUOyj/IaX6sTE
AymWER/hjCNoMp2OnvsUeGEHIBtFxE3z6MP8dnXPxSkb5hTlVrpSD4kMczAN1Dwx
/nYPnrHdLNSmlTtHGsKtqW6AAVhRvA1ZvhDQcB0YyuuMhwjP5N6UWxgy0nfo2Akk
tFiepgxihuHeaGACDMIji5tucyh4PTnvj63b/mTZWXGKqHij8EjjdHdbtr9MVZmY
Ctna+6KEhCeIUsSSwSJf5v5kuzZHhinRnVEORwIDAQABo4GOMIGLMDkGCCsGAQUF
BwEBBC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2xvY2FsaG9zdDo4MDgwL2NhL29j
c3AwDAYDVR0OBAUEAxELlzAfBgNVHSMEGDAWgBT3OKBQ4P+OEHjI/XrHX/Ciujlw
cjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsF
AAOCAQEAYOpd8NfHmTL5Xb4O38nKrqo+Ic0+wK9F7IbwDvSdb+mihbSpbP26xYhs
GkUCVWaKy/ZsxCpebbOpAJqAqb6uH/R6An8ipeOwc4x77JrmlyO5o9+hdFkEPfbt
DG27fL+G3JkeSoPQ01Tax0lSCf0s3RkkSXipmlSPd3RrS8swiNk4YIYrhHEToPTQ
7EQGcFwneQQ5VQprGJGK01ZTzEjTlrWil7VMEPJ4fY4d+gYFNeBJndtQ5DFhpshD
znsFYHjIMvKxW3SX+o7Vr8FPUWRX/+SNNgcIauqlJbH6dbAACRR26V2xjIq4GVri
Of6g5I3HjBZJXl8YDC3WtGj4emJaOjCCA4YwggJuoAMCAQICAl6zMA0GCSqGSIb3
DQEBCwUAMDUxDTALBgNVBAoTBFJPT1QxJDAiBgNVBAMTG1Jvb3QgQ0EgU2lnbmlu
ZyBDZXJ0aWZpY2F0ZTAeFw0xNzExMjQxMDQ3NDVaFw0xODAyMjQxMDQ3NDVaMDUx
DTALBgNVBAoTBFJPT1QxJDAiBgNVBAMTG1Jvb3QgQ0EgU2lnbmluZyBDZXJ0aWZp
Y2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDOnWPte11UjW1P
aHvbOrCjlddxezhFHY5vpsDnw0i/5JGn13y2ijPZHt9PGK0PG8ukGyv3Eu754cIT
sBdYz3sWXNo5ywemq5OqgYxfur5UlsbFi4SlB7ao1wJOtkXkSuq1D4d3Q2x9vm0w
WjLb4ncdTFhLADjwMOq8/+VaQE0TCY/XrDHuOGYdK7kJcF6HKLArBRz/1CF0yTyy
DVizfpXCxLCZbrjPwZpdl/kDi9Fid9+yXC4VF4ndBZRb1zNdfHdfVNmnFolrl4B1
umLWZMh5RwmkXDDqtCJwNEOIor0C5h49TOlsngx+wJAyLi3MPRg8y581VIo69fTv
P26btr8CAwEAAaOBnzCBnDA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0
dHA6Ly9sb2NhbGhvc3Q6ODA4MC9jYS9vY3NwMB0GA1UdDgQWBBT3OKBQ4P+OEHjI
/XrHX/CiujlwcjAfBgNVHSMEGDAWgBT3OKBQ4P+OEHjI/XrHX/CiujlwcjAPBgNV
HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEA
VTBRpxemN62WQX3FOGzhRichQ5VzaES+fgSPtuoF9xBTkrSGeqDpGPhbg4p99sYi
D2RwCpgRzIEb+N50J3Ropc6qcgRVGWDDPgcrcEmmEB9iCRLiZfniYFg6OmivIJqD
08k7BkOODUjzYU1QJIaRjFm7MWHQoyVVxMHeRHnRQJLj+LL+NRlIlGSzInNbd8d8
Uf5iiY7DSg1IdS74Da2OodaMXgAXZfWooDAw5XGL8bCPycwX10H77fnxCI0S2ONr
WJQ6S1iaBFvlZIXZDhzEXgaHvbjguiUVziYVHuFJSHmMo/y8xvjNMoUBII4/+FjP
fBch9ALs/UeRCZIK97tCSDEA
-----END PKCS7-----



So basically oder of pkcs7 cert here is :host certificate first, then
the certificate that signs it, then the certificate that signs the
previous certificate
certs order :


        Version: 3 (0x2)
        Serial Number: 7 (0x7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
        Validity
            Not Before: Nov 24 19:05:37 2017 GMT
            Not After : Nov 24 19:05:37 2037 GMT
        Subject: O=EXAMPLE, OU=topology-CA-EX, CN=CA Signing Certificate


        Version: 3 (0x2)
        Serial Number: 25725 (0x647d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ROOT, CN=Root CA Signing Certificate
        Validity
            Not Before: Nov 24 10:48:19 2017 GMT
            Not After : Feb 24 10:48:19 2018 GMT
        Subject: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

        Version: 3 (0x2)
        Serial Number: 24243 (0x5eb3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ROOT, CN=Root CA Signing Certificate
        Validity
            Not Before: Nov 24 10:47:45 2017 GMT
            Not After : Feb 24 10:47:45 2018 GMT
        Subject: O=ROOT, CN=Root CA Signing Certificate

Comment 2 Matthew Harmsen 2017-11-30 22:01:56 UTC
During the PKI Team Meeting of 20171130, it was determined that this issue would be move to RHEL 7.6.

Comment 3 Matthew Harmsen 2018-04-10 20:54:49 UTC
Per RHEL 7.5.z/7.6/8.0 Triage:

edewata: close RHEL bug CLOSED UPSTREAM, keep upstream ticket in FUTURE


Note You need to log in before you can comment on or make changes to this bug.