Table of Contents
Advertisement
Bug Number
Description
57800
It is possible for inconsistencies to arise between the TPS database and the CA data-
base, so that certificate statuses may not be correct. The TPS database only maintains
the certificate statuses on tokens that were last seen by the TPS system. For example,
if a certificate is manually revoked by the CA agent, then that revocation status does
not get updated automatically in the TPS database. There is no known workaround for
this issue at this time.
57875
To verify if the full CA chain is in a security database, such as an OCSP or subordinate
CA, open the security database directory, like /var/lib/instance_ID/alias.
To list all the CA certificates and their nicknames, run certutil with the following op-
tions:
certutil -d . -L
To confirm that a particular certificate is included in the database, run certutil with
the following options:
certutil -d . -L -n nickname
nickname is the nickname of the certificate.
The only time a certificate chain is needed for the OCSP service is if the CA connects
to the OCSP through SSL authentication when it publishes its CRL. Otherwise, the OC-
SP does not need to have the complete certificate chain to verify the CRL; the OCSP
must have the certificate which signed the CRL, either the CA signing certificate or a
CRL signing certificate. If both a root CA and one of its subordinate CAs publish CRLs
to an OCSP, the OCSP needs the CA signing certificate of both CAs.
The signing certificate can be imported into the OCSP database through the OCSP
agent interface.
57978
Trying to add the nsTokenUserKeySubjectName default with No Constraint ex-
tension to a certificate profile through the Certificate Manager Console throws a null
pointer exception, and the default is not added.
57991
The server certificate nicknames created through the subsystem configuration wizard
cannot be edited in the Requests and Certificates panel. These certificate nicknames
are not currently shown in that part of the configuration UI; that field is left blank in the
pretty-print view. This can cause naming collisions if a hardware token is used for a
subsystem and server certificates are already stored on the token.
58058
Generating key pairs on Safenet LunaSA hardware modules can fail with the error
CKR_MAX_OBJECT_COUNT_EXCEEDED. On LunaSA tokens, the number of objects can-
not exceed 127. When an object is deleted, the label for that object remains and is
counted. Delete the empty labels to lower the count. Key generation can then proceed.
58201
When configuring a cloned CA, the administrator certificate panel is displayed, but
grayed out. Clicking Next to proceed to the next panel displays a pop-up box that the
certificate was successfully imported into the browser when, actually, no action was
taken.
58228
Even after the configuration process is successfully completed, the configuration wizard
Known Issues
13
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.2 - RELEASE NOTES
Related Products for Red Hat CERTIFICATE SYSTEM 7.2 - RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006