Project

General

Profile

Bug #6947

Deleting an external CA wipes certificates in use

Added by Kill Bill 11 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Certificates
Target version:
Start date:
11/20/2016
Due date:
% Done:

100%

Affected version:
2.3.x
Affected Architecture:
All

Description

This is beyond uncool. When I accidentally deleted an external (intermediate) CA cert from the CAs tab, it wiped the certificate used for WebGUI -- no questions asked, no "in use" check done, nothing.

Associated revisions

Revision e2c718c8
Added by Jim Pingle 11 months ago

Add some CA in-use test utility functions. Ticket #6947

Revision 80080a0c
Added by Jim Pingle 11 months ago

When deleting a CA, do not delete all certificates from this CA, only remove the CA reference from certificates that used this CA, as the relationship can be rebuilt if needed. Also, prevent in-use CAs from being deleted and print a list of places a CA is used, similar to the output on certificates. Fixes #6947

History

#1 Updated by Jim Thompson 11 months ago

  • Assignee set to Jim Pingle

please validate and hand back.

#2 Updated by Jim Pingle 11 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle 11 months ago

  • Assignee changed from Jim Pingle to Kill Bill
  • Target version set to 2.4.0

#4 Updated by Kill Bill 11 months ago

Looks pretty good. CA in use detection works (tested with OpenVPN server, IPsec and LDAP), plus can no longer be deleted. Tried deleting one of the CAs that not "in use", certificates remained there.

One thing you seem to have missed is checking for "CA in use" case for the WebGUI.

#5 Updated by Jim Pingle 11 months ago

That would require some more work to detect if it's the GUI cert's issuer, and the GUI cert could be self-signed, since there is not a separate field to pick the CA for the GUI cert. There were a couple similar cases like that which could use some more thought but felt out of scope here for the moment.

#6 Updated by Kill Bill 11 months ago

Jim Pingle wrote:

That would require some more work to detect if it's the GUI cert's issuer.

Hmmm well, that already appears to be working (on the "Certificates" tab anyway, just not for the CAs). Regardless, much better than before. Thanks.

#7 Updated by Jim Pingle 11 months ago

The cert case is much simpler since there is a field for that directly. All the code has to check for is that the cert's reference ID is used directly. The other fields that are checked for CA are where it can be chosen specifically (OpenVPN server/client, LDAP auth server peer CA entry, IPsec P1 peer CA entry) where all it has to do is check the CA reference ID in the same way.

The trickier cases are when the CA is assumed or calculated based on the selected certificate. I could see intermediates falling into the same trap. The necessary logic gets rather complicated fast in that area, so in the interest of fixing the more dangerous issue I hit the low-hanging fruit for the time being. :-)

#8 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF