Project

General

Profile

Actions

Bug #6947

closed

Deleting an external CA wipes certificates in use

Added by Kill Bill about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Kill Bill
Category:
Certificates
Target version:
Start date:
11/20/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.x
Affected Architecture:
All

Description

This is beyond uncool. When I accidentally deleted an external (intermediate) CA cert from the CAs tab, it wiped the certificate used for WebGUI -- no questions asked, no "in use" check done, nothing.

Actions #1

Updated by Jim Thompson about 8 years ago

  • Assignee set to Jim Pingle

please validate and hand back.

Actions #2

Updated by Jim Pingle about 8 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle about 8 years ago

  • Assignee changed from Jim Pingle to Kill Bill
  • Target version set to 2.4.0
Actions #4

Updated by Kill Bill about 8 years ago

Looks pretty good. CA in use detection works (tested with OpenVPN server, IPsec and LDAP), plus can no longer be deleted. Tried deleting one of the CAs that not "in use", certificates remained there.

One thing you seem to have missed is checking for "CA in use" case for the WebGUI.

Actions #5

Updated by Jim Pingle about 8 years ago

That would require some more work to detect if it's the GUI cert's issuer, and the GUI cert could be self-signed, since there is not a separate field to pick the CA for the GUI cert. There were a couple similar cases like that which could use some more thought but felt out of scope here for the moment.

Actions #6

Updated by Kill Bill about 8 years ago

Jim Pingle wrote:

That would require some more work to detect if it's the GUI cert's issuer.

Hmmm well, that already appears to be working (on the "Certificates" tab anyway, just not for the CAs). Regardless, much better than before. Thanks.

Actions #7

Updated by Jim Pingle about 8 years ago

The cert case is much simpler since there is a field for that directly. All the code has to check for is that the cert's reference ID is used directly. The other fields that are checked for CA are where it can be chosen specifically (OpenVPN server/client, LDAP auth server peer CA entry, IPsec P1 peer CA entry) where all it has to do is check the CA reference ID in the same way.

The trickier cases are when the CA is assumed or calculated based on the selected certificate. I could see intermediates falling into the same trap. The necessary logic gets rather complicated fast in that area, so in the interest of fixing the more dangerous issue I hit the low-hanging fruit for the time being. :-)

Actions #8

Updated by Jim Pingle about 8 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF