Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7096

Don't store certificate meta data option makes expireDate not published, causing archiveCutOff

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.15.0
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Sprint 18

      Description

      In a publisher, meant for VA publishing you can set the option "Don't store certificate meta data except for CA and OCSP signing certificates". This will cause some fields from CertificateData on the CA to not be stored in the VA. One of the fields that looks like it's left out if expireDate (if I read the code correctly).

       

      If expireDate is set to -1, the certificate will always be seens as expired when the VA answers OCSP queries. This will cause the archiveCutOff OCSP extension to be returned.

      In practice this will be invalid. expireDate should not be considered sensitive Meta Data and should be published so the responder can work correctly.

       

       

        Attachments

          Activity

            People

            • Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Mike Agrenius Kushner
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 days
                3d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours Time Not Required
                2h