Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5201

Tools may prompt to trust certificate multiple times for different reasons

    Details

    • Type: Bug
    • Status: Dev backlog
    • Priority: Trivial
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0
    • Fix Version/s: None
    • Component/s: tools
    • Labels:

      Description

      With the double prompt to trust the local server certificate in interactive dsconfig coupled with a default of don't trust, a user reading prompts has the impression that something is broken in the tool. Consider this interaction:

      The certificate 'CN=localhost, O=OpenDJ RSA Self-Signed Certificate' is not trusted for the following reason: unable to find valid certification path to requested target
      
      Server Certificate:
      
      User DN  : CN=localhost, O=OpenDJ RSA Self-Signed Certificate
      Validity : From 'Wed Jun 20 09:48:39 CEST 2018'
                   To 'Tue Jun 15 09:48:39 CEST 2038'
      Issuer   : CN=localhost, O=OpenDJ RSA Self-Signed Certificate
      
      
      
      Do you trust this server certificate?
      
        1) No
        2) Yes, for this session only
        3) Yes, also add it to a truststore
        4) View certificate details
      
      Enter choice: [1]: 2
      
      
      The certificate 'CN=localhost, O=OpenDJ RSA Self-Signed Certificate' is not trusted for the following reason: No name matching mark-Precision-5520 found
      
      Server Certificate:
      
      User DN  : CN=localhost, O=OpenDJ RSA Self-Signed Certificate
      Validity : From 'Wed Jun 20 09:48:39 CEST 2018'
                   To 'Tue Jun 15 09:48:39 CEST 2038'
      Issuer   : CN=localhost, O=OpenDJ RSA Self-Signed Certificate
      
      
      
      Do you trust this server certificate?
      
        1) No
        2) Yes, for this session only
        3) Yes, also add it to a truststore
        4) View certificate details
      
      Enter choice: [1]: 2
      

      If you read carefully, you might notice that the reasons given for not trusting the same certificate are different. You might notice the curiously long validity period of this self-signed cert. But you definitely notice that the default choice the second time for the cert you just agreed to trust is 1) No.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Mark Mark Craig
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: