Bug #6947
closedDeleting an external CA wipes certificates in use
100%
Description
This is beyond uncool. When I accidentally deleted an external (intermediate) CA cert from the CAs tab, it wiped the certificate used for WebGUI -- no questions asked, no "in use" check done, nothing.
Updated by Jim Pingle about 8 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 80080a0c8b5949b1af97d1d49b4cc834d06875cf.
Updated by Jim Pingle about 8 years ago
- Assignee changed from Jim Pingle to Kill Bill
- Target version set to 2.4.0
Updated by Kill Bill about 8 years ago
Looks pretty good. CA in use detection works (tested with OpenVPN server, IPsec and LDAP), plus can no longer be deleted. Tried deleting one of the CAs that not "in use", certificates remained there.
One thing you seem to have missed is checking for "CA in use" case for the WebGUI.
Updated by Jim Pingle about 8 years ago
That would require some more work to detect if it's the GUI cert's issuer, and the GUI cert could be self-signed, since there is not a separate field to pick the CA for the GUI cert. There were a couple similar cases like that which could use some more thought but felt out of scope here for the moment.
Updated by Kill Bill about 8 years ago
Jim Pingle wrote:
That would require some more work to detect if it's the GUI cert's issuer.
Hmmm well, that already appears to be working (on the "Certificates" tab anyway, just not for the CAs). Regardless, much better than before. Thanks.
Updated by Jim Pingle about 8 years ago
The cert case is much simpler since there is a field for that directly. All the code has to check for is that the cert's reference ID is used directly. The other fields that are checked for CA are where it can be chosen specifically (OpenVPN server/client, LDAP auth server peer CA entry, IPsec P1 peer CA entry) where all it has to do is check the CA reference ID in the same way.
The trickier cases are when the CA is assumed or calculated based on the selected certificate. I could see intermediates falling into the same trap. The necessary logic gets rather complicated fast in that area, so in the interest of fixing the more dangerous issue I hit the low-hanging fruit for the time being. :-)
Updated by Jim Pingle about 8 years ago
- Status changed from Feedback to Resolved