Bug #31574
closedThe Artemis client certificate is not updated in truststore if it changes
Description
The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair =>
[root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
[root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) =>
[root@dhcp-2-190 certs]# keytool -list -keystore truststore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
artemis-client, Dec 10, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B
Compare that fingerprint to /etc/pki/katello/certs/java-client.crt =>
[root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt
SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56
They should match, but don't