From Fedora Project Wiki

Description

This tests what happens when a ca-bundle.crt bundle has been modified in a previous Fedora release, which is then upgraded to use shared system cetrificates.

Setup

  1. Prepare a clean Fedora 18 install.
    You can setup a new virtual machine using the Fedora 18 Live CD.
    Proceed with the setup as usual, and complete first boot, then log in.
  2. Install wget
    sudo yum install wget
  3. Download the necessary certificate file:
    $ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem
  4. Become root
    $ sudo -s
    The commands below should be executed as root

How to test

  1. Modify the ca-bundle.crt ca-bundle.trust.crt' and cacerts` files, by adding a certificate:
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt
  2. Modify the 'cacerts` file by adding a certificate:
    # openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER
    # keytool -importcert -file cert-test.der -keystore /etc/pki/java/cacerts -alias p11-test
    The password is 'changeit', answer 'yes' when prompted
    Should see "Certificate was added to keystore"
  3. Verify that the files have been modified
    #rpm -V ca-certificates
    You should see all the three files modified above listed.
  4. Upgrade the packages in question to Fedora 19
    # yum update --nogpgcheck --releasever=19 ca-certificates
    A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed. If you hit broken dependencies during the update, do not hesitate to try --skip-broken, update should then proceed smoothly.
    Alternatively you may perform a complete upgrade

Expected Results

  1. You should see that the bundles which were modified above, are now saved as .rpmsave files in these locations:
    /etc/pki/java/cacerts.rpmsave
    /etc/pki/tls/certs/ca-bundle.crt.rpmsave
    /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave
  2. Verify that the java .rpmsave file contains the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test
    The password is 'changeit'
    You should see a line of output that contains "p11-test" and "trustedCertEntry"
  3. Verify that the java in use cacerts file does not contain the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test
    The password is 'changeit'
    You should see no certificate lines of output.
  4. Verify that the ca-bundle.crt.rpmsave file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"
  5. Verify that the ca-bundle.trust.crt.rpmsave file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"



Troubleshooting

  • Because rpm is broken in this case (see bug for details), we use .rpmsave instead of .rpmnew files here. But because upgrading a Fedora system is not a completely seamless and supported operation this is an appropriate compromise.