Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7096

Don't store certificate meta data option makes expireDate not published, causing archiveCutOff

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.15.0
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Sprint 18

      Description

      In a publisher, meant for VA publishing you can set the option "Don't store certificate meta data except for CA and OCSP signing certificates". This will cause some fields from CertificateData on the CA to not be stored in the VA. One of the fields that looks like it's left out if expireDate (if I read the code correctly).

       

      If expireDate is set to -1, the certificate will always be seens as expired when the VA answers OCSP queries. This will cause the archiveCutOff OCSP extension to be returned.

      In practice this will be invalid. expireDate should not be considered sensitive Meta Data and should be published so the responder can work correctly.

       

       

        Attachments

          Activity

            People

            Assignee:
            tomas Tomas Gustavsson
            Reporter:
            tomas Tomas Gustavsson
            Verified by:
            Mike Agrenius Kushner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 days
                3d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours Time Not Required
                2h