-
Bug
-
Resolution: Done-Errata
-
Major
-
4.10
-
Critical
-
None
-
55
-
Sprint 234, Sprint 235, Sprint 236, Sprint 237
-
4
-
Rejected
-
Unspecified
-
-
Bug Fix
-
Done
Description of problem:
mtls connection is not working when using an intermetiate CA appart from the root CA, both with CRL defined.
The Intermediate CA Cert had a published CDP which directed to a CRL issued by the root CA.
The config map in the openshift-ingress namespace contains the CRL as issued by the root CA. The CRL issued by the Intermediate CA is not present since that CDP is in the user cert and so not in the bundle.
When attempting to connect using a user certificate issued by the Intermediate CA it fails with an error of unknown CA.
When attempting to connect using a user certificate issued by the to Root CA the connection is successful.
Version-Release number of selected component (if applicable):
4.10.24
How reproducible:
Always
Steps to Reproduce:
1. Configure CA and intermediate CA with CRL
2. Sign client certificate with the intermediate CA
3. Configure mtls in openshift-ingress
Actual results:
When attempting to connect using a user certificate issued by the Intermediate CA it fails with an error of unknown CA.
When attempting to connect using a user certificate issued by the to Root CA the connection is successful.
Expected results:
Be able to connect with client certificated signed by the intermediate CA
Additional info:
- blocks
-
OCPBUGS-13964 mtls CRL not working when using an intermediate CA
- Closed
- is cloned by
-
OCPBUGS-13964 mtls CRL not working when using an intermediate CA
- Closed
- links to
-
RHEA-2023:5006 rpm